Requirements for certificates used with Windows 7 » History » Version 7
Version 6 (charchess ney, 02.06.2010 08:34) → Version 7/13 (Tobias Brunner, 22.10.2012 15:54)
h1. Requirements for certificates used with Windows 7
The Windows 7 Beta release was liberal in accepting certificates, but already the Release Candidate added several adds new requirements for the VPN gateway certificate.
h2. Required fields
Your gateway certificate must have:
* An *Extended Key Usage* flag explicitly allowing the certificate to be used for authentication purposes. The It is currently unclear which OIDs are accepted by Windows, but it seems that the *serverAuth* EKU having the OID _1.3.6.1.5.5.7.3.1_ (often called _TLS Web server authentication_) will do that. is ok. If you are using OpenSSL to generate your certificates then include the option
<pre>
extendedKeyUsage = serverAuth
</pre>
For the [[IpsecPkiIssue|ipsec pki]] tool add the following argument
<pre>
--flag serverAuth
</pre>
In addition Windows 7, you now have to _serverAuth_ add the "IP Security IKE Intermediate" EKU with OID _1.3.6.1.5.5.8.2.2_ does not hurt either and will allow you to use Intermediate", this is done by adding the certificate with older [[IOS_(Apple)|Mac OS X releases]] too. oid : 1.3.6.1.5.5.8.2.2 as extendedKeyUsage (a good page about ikev2/windows understanding is "this one":http://www.carbonwind.net/blog/post/VPN-Reconnect-in-Windows-7-RC-redux.aspx )
So, this will work too:
<pre>
Which give extendedKeyUsage = serverAuth, 1.3.6.1.5.5.8.2.2
</pre><pre>
--flag serverAuth --flag ikeIntermediate
</pre>
* The hostname of the VPN gateway entered in the clients connection properties *MUST* be contained either in the *subjectDistinguishedName* of the server certificate
<pre>
C=CH, O=strongSwan Project, CN=vpn.strongswan.org
</pre>
or in a *subjectAltName* extension that can be added with the OpenSSL option
<pre>
subjectAltName = DNS:vpn.strongswan.org
</pre>
or the [[IpsecPkiIssue|ipsec pki issue]] argument
<pre>
--san vpn.strongswan.org
</pre>
For optimal compatibility with other client implementations it is recommended to include the hostname as *subjectAltName*, as matching only parts of the distinguished name is not compliant with "RFC 4945":http://tools.ietf.org/html/rfc4945.
h2. Disabling extended certificate checks
Alternatively, you may disable these extended certificate checks on the client.
> *This is potentially dangerous, as any certificate holder assured by your CA may act as the VPN gateway.*
To disable the extended checks, add a _DWORD_ called *DisableIKENameEkuCheck* to
<pre>
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\Parameters\
</pre>
in the client's registry.
h2. Further information
For more details about the requirements and other ways to disable the certificate checks, have a look to "this knowledge base article":http://support.microsoft.com/kb/926182.
"This blog entry":http://www.carbonwind.net/blog/post/VPN-Reconnect-in-Windows-7-RC-redux.aspx also provides detailed information about the Windows 7 certificate requirements.
The Windows 7 Beta release was liberal in accepting certificates, but already the Release Candidate added several adds new requirements for the VPN gateway certificate.
h2. Required fields
Your gateway certificate must have:
* An *Extended Key Usage* flag explicitly allowing the certificate to be used for authentication purposes. The It is currently unclear which OIDs are accepted by Windows, but it seems that the *serverAuth* EKU having the OID _1.3.6.1.5.5.7.3.1_ (often called _TLS Web server authentication_) will do that. is ok. If you are using OpenSSL to generate your certificates then include the option
<pre>
extendedKeyUsage = serverAuth
</pre>
For the [[IpsecPkiIssue|ipsec pki]] tool add the following argument
<pre>
--flag serverAuth
</pre>
In addition Windows 7, you now have to _serverAuth_ add the "IP Security IKE Intermediate" EKU with OID _1.3.6.1.5.5.8.2.2_ does not hurt either and will allow you to use Intermediate", this is done by adding the certificate with older [[IOS_(Apple)|Mac OS X releases]] too. oid : 1.3.6.1.5.5.8.2.2 as extendedKeyUsage (a good page about ikev2/windows understanding is "this one":http://www.carbonwind.net/blog/post/VPN-Reconnect-in-Windows-7-RC-redux.aspx )
So, this will work too:
<pre>
Which give extendedKeyUsage = serverAuth, 1.3.6.1.5.5.8.2.2
</pre><pre>
--flag serverAuth --flag ikeIntermediate
</pre>
* The hostname of the VPN gateway entered in the clients connection properties *MUST* be contained either in the *subjectDistinguishedName* of the server certificate
<pre>
C=CH, O=strongSwan Project, CN=vpn.strongswan.org
</pre>
or in a *subjectAltName* extension that can be added with the OpenSSL option
<pre>
subjectAltName = DNS:vpn.strongswan.org
</pre>
or the [[IpsecPkiIssue|ipsec pki issue]] argument
<pre>
--san vpn.strongswan.org
</pre>
For optimal compatibility with other client implementations it is recommended to include the hostname as *subjectAltName*, as matching only parts of the distinguished name is not compliant with "RFC 4945":http://tools.ietf.org/html/rfc4945.
h2. Disabling extended certificate checks
Alternatively, you may disable these extended certificate checks on the client.
> *This is potentially dangerous, as any certificate holder assured by your CA may act as the VPN gateway.*
To disable the extended checks, add a _DWORD_ called *DisableIKENameEkuCheck* to
<pre>
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\Parameters\
</pre>
in the client's registry.
h2. Further information
For more details about the requirements and other ways to disable the certificate checks, have a look to "this knowledge base article":http://support.microsoft.com/kb/926182.
"This blog entry":http://www.carbonwind.net/blog/post/VPN-Reconnect-in-Windows-7-RC-redux.aspx also provides detailed information about the Windows 7 certificate requirements.