Requirements for certificates used with Windows 7 » History » Version 2
Requirements for certificates used with Windows 7¶
The Windows 7 Beta release was liberal in accepting certificates, but the Release Candidate adds new requirements to the used certificates.
Your Gateway certificate must have:
- An Extended Key Usage Flag, expilicitly allowing the certificate to be used for authentication purposes. It is currently unclear which OIDs are accepted by Windows, but it seems that the ServerAuth OID (220.127.116.11.18.104.22.168.1, often called TLS Web server authentication) gets accepted.
- The Gateway Hostname entered in the clients connection properties MUST be contained in the Distinguished Name of the certificate or in a subjectAltName.
Disabling extended certificate checks¶
Alternatively, you may disable these extended certificate checks on the client.
This is potentially dangerous, as any certificate holder assured by your CA may act as the VPN gateway.
To disable the extended checks, add a DWORD called DisableIKENameEkuCheck to
in the clients Registry.
For more details about the requirements and other ways to disable the certificate checks, have a look to this knowledge base article.