Project

General

Profile

Requirements for certificates used with Windows 7 » History » Version 3

« Previous - Version 3/13 (diff) - Next » - Current version
Andreas Steffen, 12.05.2009 09:57
added OpenSSL options


Requirements for certificates used with Windows 7

The Windows 7 Beta release was liberal in accepting certificates, but the Release Candidate adds new requirements for the VPN gateway certificate.

Required fields

Your gateway certificate must have:

  • An Extended Key Usage flag, explicitly allowing the certificate to be used for authentication purposes. It is currently unclear which OIDs are accepted by Windows, but it seems that the "serverAuth" OID (1.3.6.1.5.5.7.3.1, often called TLS Web server authentication) gets accepted. If you are using OpenSSL to generate your
    certificates then include the option
extendedKeyUsage = serverAuth
  • The hostname of the VPN gateway entered in the clients connection properties MUST be contained either in the Distinguished Name of the certificate or in a subjectAltName extension. E.g. using OpenSSL the subjectAltName vpn.strongswan.org can be added with the option
subjectAltName = DNS:vpn.strongswan.org

Disabling extended certificate checks

Alternatively, you may disable these extended certificate checks on the client.

This is potentially dangerous, as any certificate holder assured by your CA may act as the VPN gateway.

To disable the extended checks, add a DWORD called DisableIKENameEkuCheck to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\Parameters\

in the clients Registry.

Futher information

For more details about the requirements and other ways to disable the certificate checks, have a look to this knowledge base article.