[Swan] Heads Up: AddTrust Root CA expiration causes Windows IPsec client failures

Paul Wouters paul at nohats.ca
Sun May 31 14:32:57 UTC 2020

A heads up to people.

The AddTrust CA Root certificate expired on May 30. If you are using
this Root CA certificate with IKE/IPsec, please be aware that Windows
clients are failing to ignore this expired root CA. It seems Appl
  clients have no problem picking up the new Root CA and ignoring the
old one.

You would already have the updated replacement Root CA as wel because
AddTrust did ship that CA in their bundle for at least the last year.

You can verify this in your libreswan install using:

certutil -L -d sql:/etc/ipsec.d

Certificate Nickname                                         Trust Attributes

COMODO RSA Domain Validation Secure Server CA - COMODO CA Limited CT,, 
COMODO RSA Certification Authority - AddTrust AB             CT,, 
AddTrust External CA Root - AddTrust AB                      CT,, 
yourvpnserver.com                                            u,u,u

You can see the AddTrust cert is expired using:

certutil -L -d sql:/etc/ipsec.d -n "AddTrust External CA Root - AddTrust AB"

         Version: 3 (0x2)
         Serial Number: 1 (0x1)
         Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
         Issuer: "CN=AddTrust External CA Root,OU=AddTrust External TTP Networ
             k,O=AddTrust AB,C=SE"
             Not Before: Tue May 30 10:48:38 2000
             Not After : Sat May 30 10:48:38 2020
         Subject: "CN=AddTrust External CA Root,OU=AddTrust External TTP Netwo
             rk,O=AddTrust AB,C=SE"


If you see this, you will have to run:

certutil -D -d sql:/etc/ipsec.d -n "AddTrust External CA Root - AddTrust AB"

And then restart libreswan.

You should have "COMODO RSA Certification Authority - AddTrust AB",
which is the replacement for the expired Root CA, and that will be
used by all clients for building a root of trust to the VPN server


More information about the Swan mailing list