Project

General

Profile

Issue #3059

Cert auth fails

Added by Srinivas Gowda 10 days ago. Updated 10 days ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
configuration
Affected version:
5.7.2
Resolution:

Description

Hi,
Somehow for a chained certificate the strong swan is failed to validate the signature.
I have loaded the root-ca and signing-ca certificates (in PEM format) to 'cacerts' directory, the private key of the strong-swan in 'private' directory and the strong-swan certificate is loaded to the 'certs' directory. Strong swan on receiving the AUTH response it is failed to verify the certificate and it fails.
Please let me know if I'm missing anything here.

------------------------
parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr ]
received end entity cert "C=US, ST=Massachussetts, L=Burlington, O=XXXXXX XXXXXXXX, XXX., OU=Development, CN=10.1.101.15"
using certificate "C=US, ST=Massachussetts, L=Burlington, O=XXXXXX XXXXXXXX, XXX., OU=Development, CN=10.1.101.15"
using trusted intermediate ca certificate "C=US, ST=California, L=San Jose, O=XXXXXX XXXXXXXX, XXX., OU=Development, CN=XXXXXXXXXXXXX, E="
checking certificate status of "C=US, ST=Massachussetts, L=Burlington, O=XXXXXX XXXXXXXX, XXX., Inc., OU=Development, CN=10.1.101.15"
certificate status is not available
using trusted ca certificate "C=US, ST=California, L=San Jose, O=XXXXXX XXXXXXXX, XXX., OU=Development, CN=XXXXXX, E="
checking certificate status of "C=US, ST=California, L=San Jose, O=XXXXXX XXXXXXXX, XXX., OU=Development, CN=XXXXXXXXXXXXX, E="
certificate status is not available
reached self-signed root ca with a path length of 1
Srinivas returning TRUE
Srinivas :isVerified (0) isCompliant(1)
signature validation failed, looking for another key
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]

History

#1 Updated by Tobias Brunner 10 days ago

  • Category changed from pki to configuration
  • Status changed from New to Feedback
  • Priority changed from High to Normal

Looks like the keys don't match (maybe you issued certificates with different keys but same identity). Make sure the key IDs of certificates and private keys match (check with pki --print).

Also available in: Atom PDF