diff options
| author | Christian Breunig <christian@breunig.cc> | 2024-06-10 10:27:49 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-06-10 10:27:49 +0200 |
| commit | 82607438d6df5291c581d802c7a2a98eabe084ff (patch) | |
| tree | 3d70559d26469951d4a5b3674d8567be337f6f09 /data | |
| parent | 7ade4fa71b535289577978a73746c1fc1d993803 (diff) | |
| parent | 4e51569013b3f78abea9c18e5a6ecb9ff5ae4687 (diff) | |
| download | vyos-1x-82607438d6df5291c581d802c7a2a98eabe084ff.tar.gz vyos-1x-82607438d6df5291c581d802c7a2a98eabe084ff.zip | |
Merge pull request #3610 from c-po/ipsec-profile-T6424
op-mode: T6424: ipsec: honor certificate CN and CA chain during profile generation
Diffstat (limited to 'data')
| -rw-r--r-- | data/templates/ipsec/ios_profile.j2 | 18 |
1 files changed, 8 insertions, 10 deletions
diff --git a/data/templates/ipsec/ios_profile.j2 b/data/templates/ipsec/ios_profile.j2 index a9ae1c7a9..935acbf8e 100644 --- a/data/templates/ipsec/ios_profile.j2 +++ b/data/templates/ipsec/ios_profile.j2 @@ -48,10 +48,10 @@ <!-- Optional, if it matches the CN of the root CA certificate (not the full subject DN) a certificate request will be sent NOTE: If this is not configured make sure to configure leftsendcert=always on the server, otherwise it won't send its certificate --> <key>ServerCertificateIssuerCommonName</key> - <string>{{ ca_cn }}</string> + <string>{{ ca_common_name }}</string> <!-- Optional, the CN or one of the subjectAltNames of the server certificate to verify it, if not set RemoteIdentifier will be used --> <key>ServerCertificateCommonName</key> - <string>{{ cert_cn }}</string> + <string>{{ cert_common_name }}</string> <!-- The server is authenticated using a certificate --> <key>AuthenticationMethod</key> <string>Certificate</string> @@ -83,24 +83,22 @@ </dict> </dict> </dict> -{% if certs is vyos_defined %} +{% if ca_certificates is vyos_defined %} <!-- This payload is optional but it provides an easy way to install the CA certificate together with the configuration --> -{% for cert in certs %} - <!-- Payload for: {{ cert.ca_cn }} --> +{% for ca in ca_certificates %} + <!-- Payload for: {{ ca.ca_name }} --> <dict> <key>PayloadIdentifier</key> - <string>org.{{ cert.ca_cn | lower | replace(' ', '.') | replace('_', '.') }}</string> + <string>org.{{ ca.ca_name | lower | replace(' ', '.') | replace('_', '.') }}</string> <key>PayloadUUID</key> - <string>{{ cert.ca_cn | generate_uuid4 }}</string> + <string>{{ ca.ca_name | get_uuid }}</string> <key>PayloadType</key> <string>com.apple.security.root</string> <key>PayloadVersion</key> <integer>1</integer> <!-- This is the Base64 (PEM) encoded CA certificate --> <key>PayloadContent</key> - <data> - {{ cert.ca_cert }} - </data> + <data>{{ ca.ca_chain }}</data> </dict> {% endfor %} {% endif %} |