Project

General

Profile

Issue #3680

How to unload a paritcular certificate from strongswan.

Added by Digambar Ingale 8 months ago. Updated 8 months ago.

Status:
Feedback
Priority:
Normal
Category:
vici
Affected version:
5.9.1
Resolution:

Description

Hi, I am facing one issue. I have loaded multiple certificates with same SAN, if I want to unload one of them what is the best way?

for example:

List of X.509 End Entity Certificates

subject:  "C=IN, ST=Maharashtra, L=Goa, O=xyz, OU=Systems, CN=device1, E=" 
issuer: "C=IN, ST=Maharashtra, L=Goa, O=xyz, OU=Systems, CN=device1, E="
validity: not before Jan 20 17:58:06 2021, ok
not after Jan 17 17:58:06 2036, ok (expires in 5474 days)
serial: 60:08:6f:2e
flags: self-signed
authkeyId: d7:15:e0:83:2a:c9:3f:47:35:a9:2a:ad:58:f3:2f:06:e0:1c:98:0e
subjkeyId: d7:15:e0:83:2a:c9:3f:47:35:a9:2a:ad:58:f3:2f:06:e0:1c:98:0e
pubkey: RSA 2048 bits
keyid: 67:e7:af:36:4b:b8:39:aa:68:01:31:96:cb:16:59:a5:5d:8d:37:62
subjkey: d7:15:e0:83:2a:c9:3f:47:35:a9:2a:ad:58:f3:2f:06:e0:1c:98:0e
subject:  "C=IN, ST=Maharashtra, L=Goa, O=xyz, OU=Systems, CN=device1, E=" 
issuer: "C=IN, ST=Maharashtra, L=Goa, O=xyz, OU=Systems, CN=device1, E="
validity: not before Jan 20 00:38:18 2021, ok
not after Jan 17 00:38:18 2036, ok (expires in 5474 days)
serial: 60:07:7b:7a
flags: self-signed
authkeyId: cc:af:1e:f3:63:d7:2f:78:d2:98:dd:c3:96:d4:67:17:81:4c:7f:d8
subjkeyId: cc:af:1e:f3:63:d7:2f:78:d2:98:dd:c3:96:d4:67:17:81:4c:7f:d8

I want to unload the 2nd certificate, I dont see any API to unload any particular API on davici page.

https://www.strongswan.org/apidoc/md_src_libcharon_plugins_vici_README.html

History

#1 Updated by Tobias Brunner 8 months ago

  • Status changed from New to Feedback

I want to unload the 2nd certificate, I dont see any API to unload any particular API on davici page.

There currently is none. The only way is to clear all credentials (clear-creds command) and then load the ones you actually want.

#2 Updated by Digambar Ingale 8 months ago

Digambar Ingale wrote:

Hi, I am facing one issue. I have loaded multiple certificates with same SAN, if I want to unload one of them what is the best way?

for example:

List of X.509 End Entity Certificates

subject: "C=IN, ST=Maharashtra, L=Goa, O=xyz, OU=Systems, CN=device1, E="
issuer: "C=IN, ST=Maharashtra, L=Goa, O=xyz, OU=Systems, CN=device1, E="
validity: not before Jan 20 17:58:06 2021, ok
not after Jan 17 17:58:06 2036, ok (expires in 5474 days)
serial: 60:08:6f:2e
flags: self-signed
authkeyId: d7:15:e0:83:2a:c9:3f:47:35:a9:2a:ad:58:f3:2f:06:e0:1c:98:0e
subjkeyId: d7:15:e0:83:2a:c9:3f:47:35:a9:2a:ad:58:f3:2f:06:e0:1c:98:0e
pubkey: RSA 2048 bits
keyid: 67:e7:af:36:4b:b8:39:aa:68:01:31:96:cb:16:59:a5:5d:8d:37:62
subjkey: d7:15:e0:83:2a:c9:3f:47:35:a9:2a:ad:58:f3:2f:06:e0:1c:98:0e

subject: "C=IN, ST=Maharashtra, L=Goa, O=xyz, OU=Systems, CN=device1, E="
issuer: "C=IN, ST=Maharashtra, L=Goa, O=xyz, OU=Systems, CN=device1, E="
validity: not before Jan 20 00:38:18 2021, ok
not after Jan 17 00:38:18 2036, ok (expires in 5474 days)
serial: 60:07:7b:7a
flags: self-signed
authkeyId: cc:af:1e:f3:63:d7:2f:78:d2:98:dd:c3:96:d4:67:17:81:4c:7f:d8
subjkeyId: cc:af:1e:f3:63:d7:2f:78:d2:98:dd:c3:96:d4:67:17:81:4c:7f:d8

I want to unload the 2nd certificate, I dont see any API to unload any particular API on davici page.

https://www.strongswan.org/apidoc/md_src_libcharon_plugins_vici_README.html

Tobias Brunner wrote:

I want to unload the 2nd certificate, I dont see any API to unload any particular API on davici page.

There currently is none. The only way is to clear all credentials (clear-creds command) and then load the ones you actually want.

Tobias Brunner wrote:

I want to unload the 2nd certificate, I dont see any API to unload any particular API on davici page.

There currently is none. The only way is to clear all credentials (clear-creds command) and then load the ones you actually want.

Thanks Tobias Brunner, I really appreciate your quick response on my query. Is there any future plan to add support to unload specific certificate from VICI?

#3 Updated by Tobias Brunner 8 months ago

Is there any future plan to add support to unload specific certificate from VICI?

Not at this time.

Also available in: Atom PDF