ipsec.conf: ca <name>¶

ca <name>¶

ca sections are optional sections that can be used to assign special parameters to a Certification Authority (CA).

Because the daemons automatically import CA certificates from /etc/ipsec.d/cacerts, there is no need to explicitly add them with a CA section, unless you want to assign special parameters (like a CRL) to a CA.

Parameters¶

also = <section name>

includes ca section <name>.

auto = ignore | add

cacert = <path>

defines a path to the CA certificate either relative to /etc/ipsec.d/cacerts or as an absolute path.

crluri = <uri>

defines a CRL distribution point (ldap, http, or file URI).

crluri1

synonym for crluri.

crluri2 = <uri>

defines an alternative CRL distribution point (ldap, http, or file URI).

ldaphost = <hostname>

defines an ldap host. Only used by the IKEv1 daemon pluto.

ocspuri = <uri>

defines an OCSP URI.

ocspuri1

synonym for ocspuri.

ocspuri2 = <uri>

defines an alternative OCSP URI. Only used by the charon daemon (since 5.0.0 also for IKEv1).

certuribase = <uri>

defines the base URI for the Hash and URL feature supported by IKEv2.
Instead of exchanging complete certificates, IKEv2 allows to send an URI
that resolves to the DER encoded certificate. The certificate URIs are built
by appending the SHA1 hash of the DER encoded certificates to this base URI.