swanctl: Document the remote ca_id option for identity based CA constraints

author Martin Willi <martin@strongswan.org>

Thu, 28 Nov 2019 09:20:50 +0000 (10:20 +0100)

committer Tobias Brunner <tobias@strongswan.org>

Fri, 6 Dec 2019 09:07:46 +0000 (10:07 +0100)
author Martin Willi <martin@strongswan.org>
Thu, 28 Nov 2019 09:20:50 +0000 (10:20 +0100)
committer Tobias Brunner <tobias@strongswan.org>
Fri, 6 Dec 2019 09:07:46 +0000 (10:07 +0100)
diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt

index f7801b3c3959be679ebd9c20f55fe01dec784a5e..0ae9d457905d44655e5539c61524a4711ed1cdb4 100644 (file)
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -593,6 +593,16 @@ connections.<conn>.remote<suffix>.cacert<suffix>.slot =
  connections.<conn>.remote<suffix>.cacert<suffix>.module =
         Optional PKCS#11 module name.
  
+connections.<conn>.remote<suffix>.ca_id =
+       Identity in CA certificate to accept for authentication.
+
+       The specified identity must be contained in one (intermediate) CA
+       of the remote peer trustchain, either as subject or as subjectAltName.
+       This has the same effect as specifying _cacerts_ to force clients under
+       a CA to specific connections; it does not require the CA certificate to
+       be available locally, and can be received from the peer during the
+       IKE exchange.
+
  connections.<conn>.remote<suffix>.pubkeys =
         Comma separated list of raw public keys to accept for authentication.
author	Martin Willi <martin@strongswan.org>
	Thu, 28 Nov 2019 09:20:50 +0000 (10:20 +0100)
committer	Tobias Brunner <tobias@strongswan.org>
	Fri, 6 Dec 2019 09:07:46 +0000 (10:07 +0100)