strongSwan

h1. Requirements for certificates used with Windows 7

The Windows 7 Beta release was liberal in accepting certificates, but already the Release Candidate added several new requirements for the VPN gateway certificate.

h2. Required fields

Your gateway certificate must have:

* An *Extended Key Usage* flag explicitly allowing the certificate to be used for authentication purposes. The *serverAuth* EKU having the OID _1.3.6.1.5.5.7.3.1_ (often called _TLS Web server authentication_) will do that. If you are using OpenSSL to generate your certificates then include the option

  <pre>

extendedKeyUsage = serverAuth

</pre>

  For the [[IpsecPkiIssue|ipsec pki]] tool add the following argument

  <pre>

--flag serverAuth

</pre>

  In addition to _serverAuth_ the "IP Security IKE Intermediate" EKU with OID _1.3.6.1.5.5.8.2.2_ does not hurt either and will allow you to use the certificate with older [[IOS_(Apple)|Mac OS X releases]] too.

  So, this will work too:

  <pre>

extendedKeyUsage = serverAuth, 1.3.6.1.5.5.8.2.2

</pre><pre>

--flag serverAuth --flag ikeIntermediate

</pre>

* The hostname of the VPN gateway entered in the clients connection properties *MUST* be contained either in the *subjectDistinguishedName* of the server certificate

  <pre>

C=CH, O=strongSwan Project, CN=vpn.strongswan.org

</pre>

  and/or in a *subjectAltName* extension that can be added with the OpenSSL option

  <pre>

subjectAltName = DNS:vpn.strongswan.org

</pre>

  or the [[IpsecPkiIssue|ipsec pki issue]] argument

  <pre>

--san vpn.strongswan.org

</pre>

  *For optimal interoperability* with other client implementations it is recommended to include the hostname as *subjectAltName*, because matching only parts of the distinguished name is actually not compliant with "RFC 4945":http://tools.ietf.org/html/rfc4945. Having the hostname encoded as *subjectAltName* is essential when using [[AndroidVpnClient|our Android app]] or working with [[IOS_(Apple)|Mac OS X clients]].

h2. Disabling extended certificate checks

Alternatively, you may disable these extended certificate checks on the client. 

> *This is potentially dangerous, as any certificate holder assured by your CA may act as the VPN gateway.*

To disable the extended checks, add a _DWORD_ called *DisableIKENameEkuCheck* to

<pre>

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\Parameters\

</pre>

in the client's registry.

h2. Further information

For more details about the requirements and other ways to disable the certificate checks, have a look to "this knowledge base article":http://support.microsoft.com/kb/926182.

"This blog entry":http://www.carbonwind.net/blog/post/VPN-Reconnect-in-Windows-7-RC-redux.aspx also provides detailed information about the Windows 7 certificate requirements.