Project

General

Profile

History

strongSwan User Documentation » Interoperability » Windows Clients »

Requirements for certificates used with Windows 7 » History » Version 9

« Previous - Version 9/13 (diff) - Next » - Current version
Tobias Brunner, 23.10.2013 13:24
Use an ordered list to clarify that there is more than one requirement

Requirements for certificates used with Windows 7

The Windows 7 Beta release was liberal in accepting certificates, but already the Release Candidate added several new requirements for the VPN gateway certificate.

Required fields

Your gateway certificate must have:

  1. An Extended Key Usage flag explicitly allowing the certificate to be used for authentication purposes. The serverAuth EKU having the OID 1.3.6.1.5.5.7.3.1 (often called TLS Web server authentication) will do that. If you are using OpenSSL to generate your certificates then include the option
    extendedKeyUsage = serverAuth

    For the ipsec pki tool add the following argument

    --flag serverAuth

    In addition to serverAuth the "IP Security IKE Intermediate" EKU with OID 1.3.6.1.5.5.8.2.2 does not hurt either and will allow you to use the certificate with older Mac OS X releases too.
    So, this will work too:

    extendedKeyUsage = serverAuth, 1.3.6.1.5.5.8.2.2

    --flag serverAuth --flag ikeIntermediate
  2. The hostname of the VPN gateway entered in the clients connection properties MUST be contained either in the subjectDistinguishedName of the server certificate 
    C=CH, O=strongSwan Project, CN=vpn.strongswan.org

    and/or in a subjectAltName extension that can be added with the OpenSSL option

    subjectAltName = DNS:vpn.strongswan.org

    or the ipsec pki issue argument

    --san vpn.strongswan.org

    For optimal interoperability with other client implementations it is recommended to include the hostname as subjectAltName, because matching only parts of the distinguished name is actually not compliant with RFC 4945. Having the hostname encoded as subjectAltName is essential when using our Android app or working with Mac OS X clients.

Disabling extended certificate checks

Alternatively, you may disable these extended certificate checks on the client.

This is potentially dangerous, as any certificate holder assured by your CA may act as the VPN gateway.

To disable the extended checks, add a DWORD called DisableIKENameEkuCheck to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\Parameters\

in the client's registry.

Further information

For more details about the requirements and other ways to disable the certificate checks, have a look to this knowledge base article.

This blog entry also provides detailed information about the Windows 7 certificate requirements.