Hi Chris: On August 26, 2008 01:06:00 am Chris Zimmerman wrote: > I am working to setup a Watchguard firewall with x509 certs for VPN > tunnels. I have created my own CA on my laptop and I have created a > CSR on the Watchguard product. I have then signed the CSR with my CA > certificate successfully which then imports into the Watchguard. > Here's the problem: Watchguard requires that the cert be typed as > "Web" or "IPSec" if it is to be used for VPN tunnels. Everytime I > import my signed cert it shows up as a CA Cert type. I know this is > an interop question, but has any got an idea of what to try to get > this working? I've been at this for days now with no success. > What you're looking for are the X.509 extensions "Extended Key Usage", and "Key Usage".
For a CA, there are several things that make it a "CA" Cert: 1: It is typically self signed. (Same Issuer as Subject) 2: It has the Extension "Basic Constraints" with the content CA:TRUE 3: It has the Extension "Key Usage", with the values digitalSignature, certSign, and crlSign. For a "Device" or End Entity Cert (what you want for your Watchguard box), there are several common characteristics: 1: It is typically signed by a CA. 2: If the extension "Basic Constraints" is present, it is set to "CA:FALSE". 3: It has the Extension "Key Usage" with the values digitalSignature 3a: If this is to be used for SSL client or server, the additional values of keyAgreement and keyEncipherment may also be present. 4: It has the Extension "Extended Key Usage", with the values of serverAuth or clientAuth, depending on which side of the transaction it is. It may have both, although some programs don't like that. It may also have the value anyExtendedKeyUsage to allow it to be used for any purpose, and the Watchguard box should recognise that. It may also have of the IPsec specific Extended Key Usage values: ipsecEndSystem, ipsecTunnel, ipsecUser (but I'm not sure if OpenSSL has implemented these last three). Regardless - that is what your device is telling you. If you want a good howto to help you set up your CA to issue certs that should work for issuing certificates to a Watchguard box, take a look at the "CertiPath OpenSSL Howto" guide that we've written: http://www.carillon.ca/library/howtos.php It will show you how to configure the openssl.cnf files to generate certificates with any and all of the above values set. Have fun. -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
