Issue #3680
How to unload a paritcular certificate from strongswan.
Description
Hi, I am facing one issue. I have loaded multiple certificates with same SAN, if I want to unload one of them what is the best way?
for example:
List of X.509 End Entity Certificates
subject: "C=IN, ST=Maharashtra, L=Goa, O=xyz, OU=Systems, CN=device1, E=support@xyz.com"
issuer: "C=IN, ST=Maharashtra, L=Goa, O=xyz, OU=Systems, CN=device1, E=support@xyz.com"
validity: not before Jan 20 17:58:06 2021, ok
not after Jan 17 17:58:06 2036, ok (expires in 5474 days)
serial: 60:08:6f:2e
flags: self-signed
authkeyId: d7:15:e0:83:2a:c9:3f:47:35:a9:2a:ad:58:f3:2f:06:e0:1c:98:0e
subjkeyId: d7:15:e0:83:2a:c9:3f:47:35:a9:2a:ad:58:f3:2f:06:e0:1c:98:0e
pubkey: RSA 2048 bits
keyid: 67:e7:af:36:4b:b8:39:aa:68:01:31:96:cb:16:59:a5:5d:8d:37:62
subjkey: d7:15:e0:83:2a:c9:3f:47:35:a9:2a:ad:58:f3:2f:06:e0:1c:98:0esubject: "C=IN, ST=Maharashtra, L=Goa, O=xyz, OU=Systems, CN=device1, E=support@xyz.com"
issuer: "C=IN, ST=Maharashtra, L=Goa, O=xyz, OU=Systems, CN=device1, E=support@xyz.com"
validity: not before Jan 20 00:38:18 2021, ok
not after Jan 17 00:38:18 2036, ok (expires in 5474 days)
serial: 60:07:7b:7a
flags: self-signed
authkeyId: cc:af:1e:f3:63:d7:2f:78:d2:98:dd:c3:96:d4:67:17:81:4c:7f:d8
subjkeyId: cc:af:1e:f3:63:d7:2f:78:d2:98:dd:c3:96:d4:67:17:81:4c:7f:d8I want to unload the 2nd certificate, I dont see any API to unload any particular API on davici page.
https://www.strongswan.org/apidoc/md_src_libcharon_plugins_vici_README.html
History
#1 Updated by Tobias Brunner over 4 years ago
- Status changed from New to Feedback
I want to unload the 2nd certificate, I dont see any API to unload any particular API on davici page.
There currently is none. The only way is to clear all credentials (clear-creds command) and then load the ones you actually want.
#2 Updated by Digambar Ingale over 4 years ago
Digambar Ingale wrote:
Hi, I am facing one issue. I have loaded multiple certificates with same SAN, if I want to unload one of them what is the best way?
for example:
List of X.509 End Entity Certificates
subject: "C=IN, ST=Maharashtra, L=Goa, O=xyz, OU=Systems, CN=device1, E=support@xyz.com"
issuer: "C=IN, ST=Maharashtra, L=Goa, O=xyz, OU=Systems, CN=device1, E=support@xyz.com"
validity: not before Jan 20 17:58:06 2021, ok
not after Jan 17 17:58:06 2036, ok (expires in 5474 days)
serial: 60:08:6f:2e
flags: self-signed
authkeyId: d7:15:e0:83:2a:c9:3f:47:35:a9:2a:ad:58:f3:2f:06:e0:1c:98:0e
subjkeyId: d7:15:e0:83:2a:c9:3f:47:35:a9:2a:ad:58:f3:2f:06:e0:1c:98:0e
pubkey: RSA 2048 bits
keyid: 67:e7:af:36:4b:b8:39:aa:68:01:31:96:cb:16:59:a5:5d:8d:37:62
subjkey: d7:15:e0:83:2a:c9:3f:47:35:a9:2a:ad:58:f3:2f:06:e0:1c:98:0esubject: "C=IN, ST=Maharashtra, L=Goa, O=xyz, OU=Systems, CN=device1, E=support@xyz.com"
issuer: "C=IN, ST=Maharashtra, L=Goa, O=xyz, OU=Systems, CN=device1, E=support@xyz.com"
validity: not before Jan 20 00:38:18 2021, ok
not after Jan 17 00:38:18 2036, ok (expires in 5474 days)
serial: 60:07:7b:7a
flags: self-signed
authkeyId: cc:af:1e:f3:63:d7:2f:78:d2:98:dd:c3:96:d4:67:17:81:4c:7f:d8
subjkeyId: cc:af:1e:f3:63:d7:2f:78:d2:98:dd:c3:96:d4:67:17:81:4c:7f:d8I want to unload the 2nd certificate, I dont see any API to unload any particular API on davici page.
https://www.strongswan.org/apidoc/md_src_libcharon_plugins_vici_README.html
Tobias Brunner wrote:
I want to unload the 2nd certificate, I dont see any API to unload any particular API on davici page.
There currently is none. The only way is to clear all credentials (
clear-credscommand) and then load the ones you actually want.
Tobias Brunner wrote:
I want to unload the 2nd certificate, I dont see any API to unload any particular API on davici page.
There currently is none. The only way is to clear all credentials (
clear-credscommand) and then load the ones you actually want.
Thanks Tobias Brunner, I really appreciate your quick response on my query. Is there any future plan to add support to unload specific certificate from VICI?
#3 Updated by Tobias Brunner over 4 years ago
Is there any future plan to add support to unload specific certificate from VICI?
Not at this time.