Requirements for certificates used with Windows 7 » History » Version 2
Version 1 (Martin Willi, 07.05.2009 14:00) → Version 2/13 (Martin Willi, 07.05.2009 14:01)
h1. Requirements for certificates used with Windows 7
The Windows 7 Beta release was liberal in accepting certificates, but the Release Candidate adds new requirements to the used certificates.
h2. Required fields
Your Gateway certificate must have:
* An _Extended Key Usage Flag_, expilicitly allowing the certificate to be used for authentication purposes. It is currently unclear which OIDs are accepted by Windows, but it seems that the _ServerAuth_ OID (_1.3.6.1.5.5.7.3.1_, often called _TLS Web server authentication_) gets accepted.
* The Gateway Hostname entered in the clients connection properties MUST be contained in the _Distinguished Name_ of the certificate or in a _subjectAltName_.
h2. Disabling extended certificate checks
Alternatively, you may disable these extended certificate checks on the client.
> *This is potentially dangerous, as any certificate holder assured by your CA may act as the VPN gateway.*
To disable the extended checks, add a _DWORD_ called _DisableIKENameEkuCheck_ to
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\Parameters\
in the clients Registry.
h2. h3. Futher information
For more details about the requirements and other ways to disable the certificate checks, have a look to "this knowledge base article":http://support.microsoft.com/kb/926182.
The Windows 7 Beta release was liberal in accepting certificates, but the Release Candidate adds new requirements to the used certificates.
h2. Required fields
Your Gateway certificate must have:
* An _Extended Key Usage Flag_, expilicitly allowing the certificate to be used for authentication purposes. It is currently unclear which OIDs are accepted by Windows, but it seems that the _ServerAuth_ OID (_1.3.6.1.5.5.7.3.1_, often called _TLS Web server authentication_) gets accepted.
* The Gateway Hostname entered in the clients connection properties MUST be contained in the _Distinguished Name_ of the certificate or in a _subjectAltName_.
h2. Disabling extended certificate checks
Alternatively, you may disable these extended certificate checks on the client.
> *This is potentially dangerous, as any certificate holder assured by your CA may act as the VPN gateway.*
To disable the extended checks, add a _DWORD_ called _DisableIKENameEkuCheck_ to
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\Parameters\
in the clients Registry.
h2. h3. Futher information
For more details about the requirements and other ways to disable the certificate checks, have a look to "this knowledge base article":http://support.microsoft.com/kb/926182.