Hello out there,

first of all a reference to my question on stackexchange which finally brought me here can be found in [1].

I'm trying to realize the following scenario. Two hosts, Alice and Bob want to communicate using x509 certificates. The certificate structure is as follows:

 RootCA -> SubCA_A -> Alice
 RootCA -> SubCA_B -> Bob

Alice has the following certificates installed

  Alice.crt    (contains Alice' and SubCA_A's certificate)

while Bob has these certs installed

  Bob.crt      (contains Bob's and SubCA_B's certificate)

No when Alice wants to authenticate herself to Bob, she send him "Alice.crt". Bob verifies SubCA_A's signature of Alice' certificate and the RootCA's signature of the SubCA_A certificate and grants access (or not).

I am wondering if racoon can handle the certificate bundles as described above and how to create and configure them correctly. I am using a workaround at the moment, which basically means that I have installed all intermediate CA certificates on every host. But that becomes a problem when using more than a single intermediate CA for certificates.

According to RFC5996 (IKEv2) "Implementations MUST be capable of being configured to send and accept up to four X.509 certificates in support of authentication", but I cannot figure out how to get racoon working with PEM bundles, it always only reads the first certificate of a bundle and ignores whatever follows below.

Any help, hint or explanation is greatly appreciated.



[1] http://security.stackexchange.com/questions/41433/how-to-authenticate-to-racoon-with-a-certificate-chain-if-only-the-root-ca-is-kn