ipsec.conf: ca Reference » History » Version 17
Version 16 (Tobias Brunner, 31.01.2013 11:24) → Version 17/18 (Tobias Brunner, 23.10.2015 18:58)
{{title(ipsec.conf: ca Reference)}}
h1. ipsec.conf: ca <name>
h1. ca <name>
*ca* sections are *optional sections* that can be used to assign special parameters to a Certification Authority (CA).
Because the daemon automatically imports CA certificates from [[IpsecDirectoryCacerts|/etc/ipsec.d/cacerts]], there is no need to explicitly
add them with a CA section, unless you want to assign special parameters (like a CRL) to a CA.
h2. Parameters
_also = <name>_
p((. includes ca section _<name>_. Some aspects of this changed with version:5.2.0 (refer to [[IpsecConf#Reusing-Existing-Parameters]] for details).
_auto = *ignore* | add_
_cacert = <path>_
p((. defines a path to the CA certificate either relative to [[IpsecDirectoryCacerts|/etc/ipsec.d/cacerts]] or as an absolute path.
p((. Since [[5.0.2]] a value of the form _%smartcard[<slot nr>[@<module>]]:<keyid>_ defines a specific CA certificate
to load from a PKCS#11 backend for this CA. See [[PinSecret|ipsec.secrets]] for details about smartcard definitions
_crluri = <uri>_
p((. defines a CRL distribution point (ldap, http, or file URI).
_crluri1_
p((. synonym for _crluri_.
_crluri2 = <uri>_
p((. defines an alternative CRL distribution point (ldap, http, or file URI).
_ocspuri = <uri>_
p((. defines an OCSP URI.
_ocspuri1_
p((. synonym for _ocspuri_.
_ocspuri2 = <uri>_
p((. defines an alternative OCSP URI. Only used by the charon daemon (since 5.0.0 also for IKEv1).
_certuribase = <uri>_
p((. defines the base URI for the [[HashAndUrl|Hash and URL]] feature supported by IKEv2.
Instead of exchanging complete certificates, IKEv2 allows to send an URI
that resolves to the DER encoded certificate. The certificate URIs are built
by appending the SHA1 hash of the DER encoded certificates to this base URI.
h2. Old options (before 5.0.0)
_ldaphost = <hostname>_
p((. defines an ldap host. Only used by the IKEv1 daemon pluto.
h1. ipsec.conf: ca <name>
h1. ca <name>
*ca* sections are *optional sections* that can be used to assign special parameters to a Certification Authority (CA).
Because the daemon automatically imports CA certificates from [[IpsecDirectoryCacerts|/etc/ipsec.d/cacerts]], there is no need to explicitly
add them with a CA section, unless you want to assign special parameters (like a CRL) to a CA.
h2. Parameters
_also = <name>_
p((. includes ca section _<name>_. Some aspects of this changed with version:5.2.0 (refer to [[IpsecConf#Reusing-Existing-Parameters]] for details).
_auto = *ignore* | add_
_cacert = <path>_
p((. defines a path to the CA certificate either relative to [[IpsecDirectoryCacerts|/etc/ipsec.d/cacerts]] or as an absolute path.
p((. Since [[5.0.2]] a value of the form _%smartcard[<slot nr>[@<module>]]:<keyid>_ defines a specific CA certificate
to load from a PKCS#11 backend for this CA. See [[PinSecret|ipsec.secrets]] for details about smartcard definitions
_crluri = <uri>_
p((. defines a CRL distribution point (ldap, http, or file URI).
_crluri1_
p((. synonym for _crluri_.
_crluri2 = <uri>_
p((. defines an alternative CRL distribution point (ldap, http, or file URI).
_ocspuri = <uri>_
p((. defines an OCSP URI.
_ocspuri1_
p((. synonym for _ocspuri_.
_ocspuri2 = <uri>_
p((. defines an alternative OCSP URI. Only used by the charon daemon (since 5.0.0 also for IKEv1).
_certuribase = <uri>_
p((. defines the base URI for the [[HashAndUrl|Hash and URL]] feature supported by IKEv2.
Instead of exchanging complete certificates, IKEv2 allows to send an URI
that resolves to the DER encoded certificate. The certificate URIs are built
by appending the SHA1 hash of the DER encoded certificates to this base URI.
h2. Old options (before 5.0.0)
_ldaphost = <hostname>_
p((. defines an ldap host. Only used by the IKEv1 daemon pluto.