log shows old certificates are still being sent out
I checked the log file, there are three certificates shown in the log.
charon: 12[IKE] 126.96.36.199 is initiating an IKE_SA Oct 12 11:57:53 xxx charon: 12[IKE] remote host is behind NAT Oct 12 11:57:53 xxx charon: 12[IKE] sending cert request for "CN=xxx1 root CA, SN=xxx, C=US, L=xxx, ST=xxx$ Oct 12 11:57:53 xxx charon: 12[IKE] sending cert request for "CN=xxx2 root CA" Oct 12 11:57:53 xxx charon: 12[IKE] sending cert request for "C=xx, ST=xx, L=xx, CN=xxx3 root CA, SN=xxx, UID=xxx$
The two old root CA are abandoned, so how to disable them completely so that they won't show up in the log again. Thank you.
#1 Updated by Noel Kuntze 8 months ago
- Category set to configuration
- Status changed from New to Feedback
- Assignee set to Noel Kuntze
See the documentation (specifically the man page for
swanctl, depending on what you're using):
man ipsec (the wiki page for it right now differs from the man page, no idea which of those is actually correct):
rereadcacerts removes previously loaded CA certificates, reads all certificate files contained in the /etc/ipsec.d/cacerts directory and adds them to the list of Certification Authority (CA) certificates. This does >not affect certificates explicitly defined in a ipsec.conf(5) ca section, which may be separately updated >using the update command.
swanctl, it's probably