[Swan] Heads Up: AddTrust Root CA expiration causes Windows IPsec client failures
paul at nohats.ca
Sun May 31 14:32:57 UTC 2020
A heads up to people.
The AddTrust CA Root certificate expired on May 30. If you are using
this Root CA certificate with IKE/IPsec, please be aware that Windows
clients are failing to ignore this expired root CA. It seems Appl
clients have no problem picking up the new Root CA and ignoring the
You would already have the updated replacement Root CA as wel because
AddTrust did ship that CA in their bundle for at least the last year.
You can verify this in your libreswan install using:
certutil -L -d sql:/etc/ipsec.d
Certificate Nickname Trust Attributes
COMODO RSA Domain Validation Secure Server CA - COMODO CA Limited CT,,
COMODO RSA Certification Authority - AddTrust AB CT,,
AddTrust External CA Root - AddTrust AB CT,,
You can see the AddTrust cert is expired using:
certutil -L -d sql:/etc/ipsec.d -n "AddTrust External CA Root - AddTrust AB"
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=AddTrust External CA Root,OU=AddTrust External TTP Networ
Not Before: Tue May 30 10:48:38 2000
Not After : Sat May 30 10:48:38 2020
Subject: "CN=AddTrust External CA Root,OU=AddTrust External TTP Netwo
If you see this, you will have to run:
certutil -D -d sql:/etc/ipsec.d -n "AddTrust External CA Root - AddTrust AB"
And then restart libreswan.
You should have "COMODO RSA Certification Authority - AddTrust AB",
which is the replacement for the expired Root CA, and that will be
used by all clients for building a root of trust to the VPN server
More information about the Swan