Thanks to all of you in your assistance. With the recommended changes to the openssl.cnf file, I have successfully signed the CSR from the Watchguard box and imported it as a web cert (the Type that the Watchguard box sees). However, in order to use it for VPN tunnels, the device needs it to be a type IPSec. What is the extended key usage setting for that?
On Tue, Aug 26, 2008 at 10:41 AM, Kyle Hamilton <[EMAIL PROTECTED]> wrote: > [usr_cert] is the appropriate section. > > This is above the [v3_req] section, at least in the vanilla 0.9.8h sources. > > -Kyle H > > On Tue, Aug 26, 2008 at 10:33 AM, Chris Zimmerman > <[EMAIL PROTECTED]> wrote: >> What is the appropriate section? >> >> Sorry if this is a basic question, but I am working on improving my >> knowledge. >> >> On Tue, Aug 26, 2008 at 10:24 AM, Patrick Patterson >> <[EMAIL PROTECTED]> wrote: >>> Chris: >>> >>> On Tuesday 26 August 2008 12:58:22 Kyle Hamilton wrote: >>>> There is no ExtendedKeyUsage extension. >>>> >>>> To fix this, in your openssl.cnf file in section [usr_cert] there is a >>>> commented-out line that needs to be uncommented. >>>> # keyUsage = nonRepudiation, digitalSignature, keyEncipherment >>>> >>>> Then generate a new certificate. >>>> >>> Actually - that will only set the keyUsage extension (Which you will need) - >>> what you also want to set is to add a line to the appropriate section in the >>> openssl.cnf file that you are using to generate the certificate below that >>> that has: >>> >>> extendedKeyUsage = serverAuth,clientAuth >>> >>> And then regen the certificate. >>> >>> Have fun. >>> >>> Patrick. >>> >>>> -Kyle H >>>> >>>> >>>> On Tue, Aug 26, 2008 at 9:20 AM, Chris Zimmerman >>>> >>>> <[EMAIL PROTECTED]> wrote: >>>> > Here's the cert for the Watchguard: >>>> > >>>> > Certificate: >>>> > Data: >>>> > Version: 3 (0x2) >>>> > Serial Number: 15 (0xf) >>>> > Signature Algorithm: sha1WithRSAEncryption >>>> > Issuer: C=US, ST=TX, L=Somewhere, O=Company, OU=System, >>>> > CN=Company Root CA/[EMAIL PROTECTED] >>>> > Validity >>>> > Not Before: Aug 26 16:16:57 2008 GMT >>>> > Not After : Aug 24 16:16:57 2018 GMT >>>> > Subject: C=US, ST=TX, O=Company, OU=System, CN=WG >>>> > Subject Public Key Info: >>>> > Public Key Algorithm: rsaEncryption >>>> > RSA Public Key: (1024 bit) >>>> > Modulus (1024 bit): >>>> > 00:c2:83:76:81:24:5c:48:09:71:66:bb:22:37:05: >>>> > f3:8b:0b:f6:df:24:a0:ec:d8:65:ac:d5:77:7f:e0: >>>> > 91:f1:86:a4:00:23:17:c2:28:1f:81:e0:6d:e8:24: >>>> > e7:0a:bb:7e:a5:72:57:6d:65:cb:ec:7c:f1:d0:64: >>>> > 63:9f:0d:0c:b3:4c:c6:e4:3f:7c:f9:1f:53:6b:c0: >>>> > 47:3a:59:4d:87:37:e5:f6:4f:ef:75:20:5b:93:0b: >>>> > f9:8b:d7:4b:b7:4c:0c:e2:8c:2e:34:ad:23:3e:c6: >>>> > 89:1e:6f:3b:0d:52:25:69:d2:42:d3:de:cd:cd:e3: >>>> > ef:80:8a:e0:2d:1c:20:8f:6b >>>> > Exponent: 65537 (0x10001) >>>> > X509v3 extensions: >>>> > X509v3 Basic Constraints: >>>> > CA:FALSE >>>> > Netscape Comment: >>>> > OpenSSL Generated Certificate >>>> > X509v3 Subject Key Identifier: >>>> > >>>> > 3E:BB:9E:11:45:7B:F7:5E:BD:1D:F9:CE:A1:A9:E1:D7:7C:71:A5:FF X509v3 >>>> > Authority Key Identifier: >>>> > >>>> > keyid:DB:E2:B6:28:36:12:83:63:B2:FA:87:E1:64:FB:44:F7:58:A0:8A:E8 >>>> > >>>> > Signature Algorithm: sha1WithRSAEncryption >>>> > 7b:b7:d0:ca:42:96:24:6a:26:e1:a4:e1:45:91:d1:28:14:97: >>>> > e2:ea:dc:d6:59:97:73:ef:1a:5a:54:a4:33:fe:c2:0c:74:ca: >>>> > 6b:e4:85:4c:a0:9d:49:7a:1a:b0:fd:48:5c:6a:bc:de:44:53: >>>> > 73:23:bc:0f:ab:b6:cb:49:5a:53:2c:5c:d5:24:23:3b:e6:da: >>>> > 16:22:d4:db:1c:82:ac:7a:37:01:0f:a5:4e:24:92:2b:bc:2e: >>>> > 33:01:4d:5e:c3:7f:91:0f:3d:1d:ea:b8:8d:ad:38:ed:ab:44: >>>> > b7:2d:82:7b:c3:0d:2a:a2:21:8a:58:25:ac:c4:cb:f0:57:4e: >>>> > ed:ec >>>> > >>>> > On Tue, Aug 26, 2008 at 9:14 AM, Kyle Hamilton <[EMAIL PROTECTED]> wrote: >>>> >> openssl x509 -in [filename] -noout -text -inform PEM >>>> >> >>>> >> -Kyle H >>>> >> >>>> >> On Tue, Aug 26, 2008 at 8:44 AM, Chris Zimmerman >>>> >> >>>> >> <[EMAIL PROTECTED]> wrote: >>>> >>> That command seems to have a syntax problem, showing: "unknown option >>>> >>> [cert.pem-inserted my cert here]" >>>> >>> >>>> >>> On Mon, Aug 25, 2008 at 10:55 PM, Tim Hudson <[EMAIL PROTECTED]> wrote: >>>> >>>> Chris Zimmerman wrote: >>>> >>>>> I am working to setup a Watchguard firewall with x509 certs for VPN >>>> >>>>> tunnels. I have created my own CA on my laptop and I have created a >>>> >>>>> CSR on the Watchguard product. I have then signed the CSR with my CA >>>> >>>>> certificate successfully which then imports into the Watchguard. >>>> >>>>> Here's the problem: Watchguard requires that the cert be typed as >>>> >>>>> "Web" or "IPSec" if it is to be used for VPN tunnels. Everytime I >>>> >>>>> import my signed cert it shows up as a CA Cert type. I know this is >>>> >>>>> an interop question, but has any got an idea of what to try to get >>>> >>>>> this working? I've been at this for days now with no success. >>>> >>>> >>>> >>>> Look a the various settings for basic constraints, key usage and >>>> >>>> extended key usage as controlled in openssl.cnf ... basically you need >>>> >>>> to set them to match what Watchguard wants. >>>> >>>> >>>> >>>> Perhaps you have the v3_ca stuff set. >>>> >>>> >>>> >>>> The output of >>>> >>>> openssl x509 -text -noout cert.pem >>>> >>>> will let me see what you have set in the way of those extensions. >>>> >>>> >>>> >>>> If you have a working certificate and a non-working one then comparing >>>> >>>> the text output should help show what the requirements are. >>>> >>>> >>>> >>>> Tim. >>>> >>> >>>> >>> ______________________________________________________________________ >>>> >>> OpenSSL Project http://www.openssl.org >>>> >>> User Support Mailing List openssl-users@openssl.org >>>> >>> Automated List Manager [EMAIL PROTECTED] >>>> >> >>>> >> ______________________________________________________________________ >>>> >> OpenSSL Project http://www.openssl.org >>>> >> User Support Mailing List openssl-users@openssl.org >>>> >> Automated List Manager [EMAIL PROTECTED] >>>> > >>>> > ______________________________________________________________________ >>>> > OpenSSL Project http://www.openssl.org >>>> > User Support Mailing List openssl-users@openssl.org >>>> > Automated List Manager [EMAIL PROTECTED] >>>> >>>> ______________________________________________________________________ >>>> OpenSSL Project http://www.openssl.org >>>> User Support Mailing List openssl-users@openssl.org >>>> Automated List Manager [EMAIL PROTECTED] >>> ______________________________________________________________________ >>> OpenSSL Project http://www.openssl.org >>> User Support Mailing List openssl-users@openssl.org >>> Automated List Manager [EMAIL PROTECTED] >>> >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager [EMAIL PROTECTED] >> > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
