[Swan] Guidance for "complex multi CA certificate situations"
Tuomo Soini
tis at foobar.fi
Mon Aug 21 11:13:51 EEST 2023
On Fri, 18 Aug 2023 12:45:37 -0600
Nels Lindquist <nlindq at maei.ca> wrote:
> Hi, all.
>
> While we transition from certificates signed by our expiring internal
> CA, I'd like to be able to use client certificates signed by either
> the old or new CA for VPN access.
> So... can leftca/rightca take multiple values? Can there be multiple
> parallel connection definitions with different certificates/CAs for
> the same functionality? Or something else entirely?
If you omit leftca and rightca any valid ca from your nss db is ok
which is normally what you want.
Only if you have extra ca certs you want to trust for single connection
only you are in trouble and you need to duplicate all your connections
with different local certificate and rightca=%same...
Some vpn clients only allow gateway to have certificate signed by same
ca so you might be forced to duplicate your connections for transition
anyway because your gw certificate must match client certificate ca in
this case.
--
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
More information about the Swan
mailing list