Missing Sectigo Certificates & Strongswan Troubles

peterc-s · March 25, 2026, 2:34pm

Hello, I’ve been trying to connect to a Strongswan VPN via NetworkManager and found that I’m unable to because I’m supposedly missing some certificates:

Mar 25 14:25:16 laptop charon-nm[3720270]: 15[IKE] received end entity cert "C=GB, ST=<REDACTED>, O=<REDACTED>, CN=<REDACTED>"
Mar 25 14:25:16 laptop charon-nm[3720270]: 15[IKE] received issuer cert "C=GB, O=Sectigo Limited, CN=Sectigo Public Server Authentication CA OV R36"
Mar 25 14:25:16 laptop charon-nm[3720270]: 15[IKE] received issuer cert "C=GB, O=Sectigo Limited, CN=Sectigo Public Server Authentication Root R46"
Mar 25 14:25:16 laptop charon-nm[3720270]: 15[IKE] received issuer cert "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority"
Mar 25 14:25:16 laptop charon-nm[3720270]: 15[CFG]   using certificate "C=GB, ST=<REDACTED>, O=<REDACTED>, CN=<REDACTED>"
Mar 25 14:25:16 laptop charon-nm[3720270]: 15[CFG]   using untrusted intermediate certificate "C=GB, O=Sectigo Limited, CN=Sectigo Public Server Authentication CA OV R36"
Mar 25 14:25:16 laptop charon-nm[3720270]: 15[CFG]   using untrusted intermediate certificate "C=GB, O=Sectigo Limited, CN=Sectigo Public Server Authentication Root R46"
Mar 25 14:25:16 laptop charon-nm[3720270]: 15[CFG]   using untrusted intermediate certificate "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority"
Mar 25 14:25:16 laptop charon-nm[3720270]: 15[CFG] no issuer certificate found for "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority"
Mar 25 14:25:16 laptop charon-nm[3720270]: 15[CFG]   issuer is "C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services"

I’ve been able to fix this by downloading this certificate and then adding certificate=/path/to/sectigo-root.crt to the connections vpn.data. It also seems like this certificate isn’t bundled. Is there any way to get it bundled? Or am I missing something?

As a sidenote, I had troubles connecting because routing tables weren’t being set correctly so had to add ipv4.route-table=210 to my connection. Anyone know why this doesn’t happen by default with Strongswan?

rnhmjoj · March 25, 2026, 4:41pm

It is included, but NetworkManager doesn’t use the system trust store by default. See Need unbundled CA certificates to connect to eduroam - #5 by rnhmjoj

peterc-s · March 25, 2026, 7:26pm

I can’t seem to add the 802-1x.system-ca-certs config option. nmcli gives the following:

Error: invalid or not allowed setting '802-1x': '802-1x' not among [connection, vpn, match, ipv4, ipv6, prefix-delegation, hostname, link, tc, proxy].

EDIT: I tried the alternative solution (setting systemd service environment variable) and still no joy. I have a feeling it is something to do with charon-nm but I don’t know how to make it use the system trust store.