[Swan] Question/troubleshooting x509 w/ intermediate & root CA

Paul Wouters paul at nohats.ca
Mon Sep 26 04:33:53 UTC 2016

On Fri, 23 Sep 2016, Bryan Harris wrote:

> Welp, I got to playing around with the old certs that were working, and I somehow broke them.  Then I went back
> through everything and noticed I had to change the trust bits.
> So these trust bits work:
> "CT,,"

Yes, you need the trust bits set properly. Libreswan does that on
startup using the "ipsec checknss" command (as part of the service
startup). Older versions did not do this.

> And I can't recall where I found the documentation for these, but I had read it at some point.  But the NEW certs
> import properly in the first place, so there is not a need (I thought) to set any trust bits (the new ones look like
> "CT,," so I left it alone).

The "ipsec import" should also properly set the trust bits.

> One other funny thing is that even though the tunnel works using the old certs with the proper trust bits, when I do
> a "ipsec auto --listall" each server still only shows its own cert in that top list for "List of RSA Public Keys". 

The remote endpoint certificate will come in over IKE, so you will only
see that once you received it from the other end.


More information about the Swan mailing list