swanctl: Document the remote ca_id option for identity based CA constraints
This commit is contained in:
parent
3c71a3201f
commit
55fc514ed2
|
@ -593,6 +593,16 @@ connections.<conn>.remote<suffix>.cacert<suffix>.slot =
|
||||||
connections.<conn>.remote<suffix>.cacert<suffix>.module =
|
connections.<conn>.remote<suffix>.cacert<suffix>.module =
|
||||||
Optional PKCS#11 module name.
|
Optional PKCS#11 module name.
|
||||||
|
|
||||||
|
connections.<conn>.remote<suffix>.ca_id =
|
||||||
|
Identity in CA certificate to accept for authentication.
|
||||||
|
|
||||||
|
The specified identity must be contained in one (intermediate) CA
|
||||||
|
of the remote peer trustchain, either as subject or as subjectAltName.
|
||||||
|
This has the same effect as specifying _cacerts_ to force clients under
|
||||||
|
a CA to specific connections; it does not require the CA certificate to
|
||||||
|
be available locally, and can be received from the peer during the
|
||||||
|
IKE exchange.
|
||||||
|
|
||||||
connections.<conn>.remote<suffix>.pubkeys =
|
connections.<conn>.remote<suffix>.pubkeys =
|
||||||
Comma separated list of raw public keys to accept for authentication.
|
Comma separated list of raw public keys to accept for authentication.
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue