[Swan] Guidance for "complex multi CA certificate situations"
Nels Lindquist
nlindq at maei.ca
Thu Aug 24 18:17:08 EEST 2023
On 2023-08-21 2:13 AM, Tuomo Soini wrote:
> If you omit leftca and rightca any valid ca from your nss db is ok
> which is normally what you want.
>
> Only if you have extra ca certs you want to trust for single connection
> only you are in trouble and you need to duplicate all your connections
> with different local certificate and rightca=%same...
>
> Some vpn clients only allow gateway to have certificate signed by same
> ca so you might be forced to duplicate your connections for transition
> anyway because your gw certificate must match client certificate ca in
> this case.
Windows is apparently one of the clients in that category, which makes
up the majority of our roadwarrior clients.
Duplicating the connection with additional local + CA certificates
worked perfectly.
Thanks very much!
--
Nels Lindquist
nlindq at maei.ca
More information about the Swan
mailing list