StrongSwan Charon-cmd Client – Why Use –cert Option for Multiple CA Chain Certificates?

strongswanvpn

I have a StrongSwan charon server on Ubuntu 18.04. I connect to this server with a StrongSwan charon-cmd client from another Ubuntu Linux machine.

The command I use from the client machine to connect to the server is:

charon-cmd --cert ./GoDaddyCA1.crt --cert GoDaddyCA2.crt --host xxx.example.com --identity myusername

It works great, but I don't understand why I need two "–cert" options in the command line to trust both GoDaddy CA certificates in the chain.

My personal certificate is served by the StrongSwan server, and its authority is the GoDaddyCA1.crt. The GoDaddyCA1.crt certificate has an authority of the GoDaddyCA2.crt certificate. The GoDaddyCA2.crt is a self-signed root certificate.

So, the authority chain is:

MyPersonalCert.crt -> GoDaddyCA1.crt -> GoDaddyCA2.crt

The meaning of the charon-cmd command-line option "–cert" is to declare that "this is a certificate that I trust". So, I would expect that by trusting the GoDaddyCA1.crt, then my personal certificate should also be trusted.

But that's not good enough for charon-cmd. The charon-cmd client demands that I specify "–cert" to trust all the way to a self-signed certificate. But this seems superfluous. If I trust the intermediate CA certificate, then obviously I must also trust it's authority CA cert, right?

Is this a bug, or a feature? If it's a feature, what benefit does it provide?

Best Answer

Intermediate CA certificates are currently not accepted as trust anchor in strongSwan, only self-signed root CA certificates.

If the server sends the intermediate CA certificate along with the server certificate, you only have to trust the root CA certificate (i.e. --cert GoDaddyCA2.crt will be enough). If it doesn't, make sure it's installed and check the config (e.g. send_cert in swanctl.conf). Only if that's not an option, you can't avoid having to configure both certificates on the client.

Related Topic