[Swan] Does libreswan 1.15 have a problem with spaces in CA common names/nicknames

Paul Wouters paul at nohats.ca
Tue Sep 8 15:06:50 UTC 2015

On Tue, 8 Sep 2015, Tony Whyman wrote:

> Thanks for getting back. If you look down my original EMail, I have already 
> tried:
> certutil -V -d sql:/etc/ipsec.d -n "MWA Root CA" -u C
> certutil: certificate is invalid: Peer's certificate issuer has been marked 
> as not trusted by the user.
> rebecca ~ # certutil -M -d sql:/etc/ipsec.d -n "MWA Root CA" -t "CT,"
> rebecca ~ # certutil -V -d sql:/etc/ipsec.d -n "MWA Root CA" -u C
> certutil: certificate is valid
> but with no luck. I noted that your suggestion had two "," in it, so tried 
> that as well, just in case, but still the same result.

Ok, then your issue has not been the update of the nss database. Your
problem then lies in the fact that we now use NSS for the certificate
validation instead of the very old freeswan based x509*.c code.

Matt is a little more familiar with pulling on those kind of errors, so
I've CC:ed him on this. If you can, please give me and/or him a copy of
your CA cert so we can have a look at it.

> I am thus guessing that because of the parse problem in the import script, no 
> one has actually tested 1.15 with a CA having spaces in its nickname - hence 
> this is why I think that this is where the problem lies.

No that is not the problem. See:


all our test cases use a CA called "Libreswan test CA for mainca - Libreswan"


More information about the Swan mailing list