diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in
index 52ac42c288..3588517c7d 100644
--- a/man/strongswan.conf.5.in
+++ b/man/strongswan.conf.5.in
@@ -469,6 +469,10 @@ Database URI for charons SQL plugin
 .BR charon.plugins.sql.loglevel " [-1]"
 Loglevel for logging to SQL database
 .TP
+.BR charon.plugins.stroke.ignore_missing_ca_basic_constraint " [no]"
+Treat certificates in ipsec.d/cacerts and ipsec.conf ca sections as CA
+certificates even if they don't contain a CA basic constraint.
+.TP
 .BR charon.plugins.stroke.max_concurrent " [4]"
 Maximum number of stroke messages handled concurrently
 .TP
diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c
index 47381b75ea..c004e7d78f 100644
--- a/src/libcharon/plugins/stroke/stroke_cred.c
+++ b/src/libcharon/plugins/stroke/stroke_cred.c
@@ -70,6 +70,12 @@ struct private_stroke_cred_t {
 	 */
 	mem_cred_t *creds;
 
+	/**
+	 * ignore missing CA basic constraint (i.e. treat all certificates in
+	 * ipsec.conf ca sections and ipsec.d/cacert as CA certificates)
+	 */
+	bool force_ca_cert;
+
 	/**
 	 * cache CRLs to disk?
 	 */
@@ -91,10 +97,21 @@ METHOD(stroke_cred_t, load_ca, certificate_t*,
 		snprintf(path, sizeof(path), "%s/%s", CA_CERTIFICATE_DIR, filename);
 	}
 
-	cert = lib->creds->create(lib->creds,
+	if (this->force_ca_cert)
+	{	/* we treat this certificate as a CA certificate even if it has no
+		 * CA basic constraint */
+		cert = lib->creds->create(lib->creds,
+							  CRED_CERTIFICATE, CERT_X509,
+							  BUILD_FROM_FILE, path, BUILD_X509_FLAG, X509_CA,
+							  BUILD_END);
+	}
+	else
+	{
+		cert = lib->creds->create(lib->creds,
 							  CRED_CERTIFICATE, CERT_X509,
 							  BUILD_FROM_FILE, path,
 							  BUILD_END);
+	}
 	if (cert)
 	{
 		x509_t *x509 = (x509_t*)cert;
@@ -171,11 +188,21 @@ static void load_certdir(private_stroke_cred_t *this, char *path,
 		{
 			case CERT_X509:
 				if (flag & X509_CA)
-				{	/* for CA certificates, we strictly require
-					 * the CA basic constraint to be set */
-					cert = lib->creds->create(lib->creds,
+				{
+					if (this->force_ca_cert)
+					{	/* treat this certificate as CA cert even it has no
+						 * CA basic constraint */
+						cert = lib->creds->create(lib->creds,
+										CRED_CERTIFICATE, CERT_X509,
+										BUILD_FROM_FILE, file, BUILD_X509_FLAG,
+										X509_CA, BUILD_END);
+					}
+					else
+					{
+						cert = lib->creds->create(lib->creds,
 										CRED_CERTIFICATE, CERT_X509,
 										BUILD_FROM_FILE, file, BUILD_END);
+					}
 					if (cert)
 					{
 						x509_t *x509 = (x509_t*)cert;
@@ -1073,6 +1100,9 @@ stroke_cred_t *stroke_cred_create()
 
 	lib->credmgr->add_set(lib->credmgr, &this->creds->set);
 
+	this->force_ca_cert = lib->settings->get_bool(lib->settings,
+			"charon.plugins.stroke.ignore_missing_ca_basic_constraint", FALSE);
+
 	load_certs(this);
 	load_secrets(this, SECRETS_FILE, 0, NULL);