From: Martin Willi <martin@strongswan.org>
Date: Thu, 28 Nov 2019 09:20:50 +0000 (+0100)
Subject: swanctl: Document the remote ca_id option for identity based CA constraints
X-Git-Tag: 5.8.2rc1~6^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=55fc514ed20c204a0e0f34c1068beda5dba856e4;p=thirdparty%2Fstrongswan.git

swanctl: Document the remote ca_id option for identity based CA constraints
---

diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index f7801b3c39..0ae9d45790 100644
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -593,6 +593,16 @@ connections.<conn>.remote<suffix>.cacert<suffix>.slot =
 connections.<conn>.remote<suffix>.cacert<suffix>.module =
 	Optional PKCS#11 module name.
 
+connections.<conn>.remote<suffix>.ca_id =
+	Identity in CA certificate to accept for authentication.
+
+	The specified identity must be contained in one (intermediate) CA
+	of the remote peer trustchain, either as subject or as subjectAltName.
+	This has the same effect as specifying _cacerts_ to force clients under
+	a CA to specific connections; it does not require the CA certificate to
+	be available locally, and can be received from the peer during the
+	IKE exchange.
+
 connections.<conn>.remote<suffix>.pubkeys =
 	Comma separated list of raw public keys to accept for authentication.