Requirements for certificates used with Windows 7 » History » Version 3
Version 2 (Martin Willi, 07.05.2009 14:01) → Version 3/13 (Andreas Steffen, 12.05.2009 09:57)
h1. Requirements for certificates used with Windows 7
The Windows 7 Beta release was liberal in accepting certificates, but the Release Candidate adds new requirements for to the VPN gateway certificate. used certificates.
h2. Required fields
Your gateway Gateway certificate must have:
* An *Extended _Extended Key Usage* flag, explicitly Usage Flag_, expilicitly allowing the certificate to be used for authentication purposes. It is currently unclear which OIDs are accepted by Windows, but it seems that the "serverAuth" _ServerAuth_ OID (_1.3.6.1.5.5.7.3.1_, often called _TLS Web server authentication_) gets accepted. If you are using OpenSSL to generate your
certificates then include the option
<pre>
extendedKeyUsage = serverAuth
</pre>
* The hostname of the VPN gateway Gateway Hostname entered in the clients connection properties MUST be contained either in the *Distinguished Name* _Distinguished Name_ of the certificate or in a *subjectAltName* extension. E.g. using OpenSSL the subjectAltName _vpn.strongswan.org_ can be added with the option
<pre>
subjectAltName = DNS:vpn.strongswan.org
</pre> _subjectAltName_.
h2. Disabling extended certificate checks
Alternatively, you may disable these extended certificate checks on the client.
> *This is potentially dangerous, as any certificate holder assured by your CA may act as the VPN gateway.*
To disable the extended checks, add a _DWORD_ called _DisableIKENameEkuCheck_ to
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\Parameters\
in the clients Registry.
h2. Futher information
For more details about the requirements and other ways to disable the certificate checks, have a look to "this knowledge base article":http://support.microsoft.com/kb/926182.
The Windows 7 Beta release was liberal in accepting certificates, but the Release Candidate adds new requirements for to the VPN gateway certificate. used certificates.
h2. Required fields
Your gateway Gateway certificate must have:
* An *Extended _Extended Key Usage* flag, explicitly Usage Flag_, expilicitly allowing the certificate to be used for authentication purposes. It is currently unclear which OIDs are accepted by Windows, but it seems that the "serverAuth" _ServerAuth_ OID (_1.3.6.1.5.5.7.3.1_, often called _TLS Web server authentication_) gets accepted. If you are using OpenSSL to generate your
certificates then include the option
<pre>
extendedKeyUsage = serverAuth
</pre>
* The hostname of the VPN gateway Gateway Hostname entered in the clients connection properties MUST be contained either in the *Distinguished Name* _Distinguished Name_ of the certificate or in a *subjectAltName* extension. E.g. using OpenSSL the subjectAltName _vpn.strongswan.org_ can be added with the option
<pre>
subjectAltName = DNS:vpn.strongswan.org
</pre> _subjectAltName_.
h2. Disabling extended certificate checks
Alternatively, you may disable these extended certificate checks on the client.
> *This is potentially dangerous, as any certificate holder assured by your CA may act as the VPN gateway.*
To disable the extended checks, add a _DWORD_ called _DisableIKENameEkuCheck_ to
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\Parameters\
in the clients Registry.
h2. Futher information
For more details about the requirements and other ways to disable the certificate checks, have a look to "this knowledge base article":http://support.microsoft.com/kb/926182.