Requirements for certificates used with Windows 7¶

The Windows 7 Beta release was liberal in accepting certificates, but the Release Candidate adds new requirements for the VPN gateway certificate.

Required fields¶

Your gateway certificate must have:

• An Extended Key Usage flag explicitly allowing the certificate to be used for authentication purposes. It is currently unclear which OIDs are accepted by Windows, but it seems that the serverAuth EKU having the OID 1.3.6.1.5.5.7.3.1 (often called TLS Web server authentication) is ok. If you are using OpenSSL to generate your certificates then include the option

  extendedKeyUsage = serverAuth
  

  In Windows 7, you now have to add the "IP Security IKE Intermediate", this is done by adding the oid : 1.3.6.1.5.5.8.2.2 as extendedKeyUsage (a good page about ikev2/windows understanding is this one )
  Which give extendedKeyUsage = serverAuth, 1.3.6.1.5.5.8.2.2

• The hostname of the VPN gateway entered in the clients connection properties MUST be contained either in the subjectDistinguishedName of the server certificate

  C=CH, O=strongSwan Project, CN=vpn.strongswan.org
  

  or in a subjectAltName extension that can be added with the option

  subjectAltName = DNS:vpn.strongswan.org
  

Disabling extended certificate checks¶

Alternatively, you may disable these extended certificate checks on the client.

This is potentially dangerous, as any certificate holder assured by your CA may act as the VPN gateway.

To disable the extended checks, add a DWORD called DisableIKENameEkuCheck to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\Parameters\

in the client's registry.

Further information¶

For more details about the requirements and other ways to disable the certificate checks, have a look to this knowledge base article.