strongSwan

h1. Requirements for certificates used with Windows 7

The Windows 7 Beta release was liberal in accepting certificates, but the Release Candidate adds new requirements for the VPN gateway certificate. 

h2. Required fields

Your gateway certificate must have:

* An *Extended Key Usage* flag, explicitly allowing the certificate to be used for authentication purposes. It is currently unclear which OIDs are accepted by Windows, but it seems that the "serverAuth" OID (_1.3.6.1.5.5.7.3.1_, often called _TLS Web server authentication_) gets accepted. If you are using OpenSSL to generate your

certificates then include the option

<pre>

extendedKeyUsage = serverAuth

</pre> 

* The hostname of the VPN gateway entered in the clients connection properties MUST be contained either in the *Distinguished Name* of the certificate or in a *subjectAltName* extension. E.g. using OpenSSL the subjectAltName _vpn.strongswan.org_ can be added with the option

<pre>

subjectAltName = DNS:vpn.strongswan.org

</pre>

h2. Disabling extended certificate checks

Alternatively, you may disable these extended certificate checks on the client. 

> *This is potentially dangerous, as any certificate holder assured by your CA may act as the VPN gateway.*

To disable the extended checks, add a _DWORD_ called _DisableIKENameEkuCheck_ to

> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\Parameters\

in the clients Registry.

h2. Futher information

For more details about the requirements and other ways to disable the certificate checks, have a look to "this knowledge base article":http://support.microsoft.com/kb/926182.