Here's what I had to add to the config to get it to work (as listed by
the vendor):
[ new_oids ]
pkixeku=1.3.6.1.5.5.8.2
ikeIntermediate=${pkixeku}.2
[ usr_cert ]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth,clientAuth,ikeIntermediate
Any thoughts on why this works?
On Tue, Aug 26, 2008 at 2:50 PM, Chris Zimmerman
<[EMAIL PROTECTED]> wrote:
> Well, those attributes will work (minus the IKE one-it was not
> recognized) but the Watchguard does not assign it with a type of
> IPSec, so I've contacted Watchguard support to request the expected
> extended attributes for this. I will post a reply as soon as I know.
>
> On Tue, Aug 26, 2008 at 1:41 PM, Kyle Hamilton <[EMAIL PROTECTED]> wrote:
>> This is a bug, per RFC 4549. Please submit a report to your vendor.
>> (The semantics of the OIDs were never well-defined, and they have been
>> obsoleted -- according to RFC4549, having keyUsage=digitalSignature
>> and no EKU should work for IPsec.)
>>
>> In the [new_oids] section, add new lines:
>>
>> pkixeku=1.3.6.1.5.5.7.3
>> ipsecendsystem=${pkixeku}.5
>> ipsectunnel=${pkixeku}.6
>> ipsecuser=${pkixeku}.7
>>
>> and then in [usr_cert] change your extendedKeyUsage line to:
>>
>> extendedKeyUsage=serverAuth,clientAuth,ipsecIKE,ipsecendsystem,ipsectunnel,ipsecuser
>>
>> This /should/ do it, but since I don't do anything with IPsec I can't
>> test it. My reference is
>> http://www.alvestrand.no/objectid/1.3.6.1.5.5.7.3.html
>>
>> -Kyle H
>>
>> On Tue, Aug 26, 2008 at 1:17 PM, Chris Zimmerman
>> <[EMAIL PROTECTED]> wrote:
>>> Thanks to all of you in your assistance. With the recommended changes
>>> to the openssl.cnf file, I have successfully signed the CSR from the
>>> Watchguard box and imported it as a web cert (the Type that the
>>> Watchguard box sees). However, in order to use it for VPN tunnels,
>>> the device needs it to be a type IPSec. What is the extended key
>>> usage setting for that?
>>>
>>> On Tue, Aug 26, 2008 at 10:41 AM, Kyle Hamilton <[EMAIL PROTECTED]> wrote:
>>>> [usr_cert] is the appropriate section.
>>>>
>>>> This is above the [v3_req] section, at least in the vanilla 0.9.8h sources.
>>>>
>>>> -Kyle H
>>>>
>>>> On Tue, Aug 26, 2008 at 10:33 AM, Chris Zimmerman
>>>> <[EMAIL PROTECTED]> wrote:
>>>>> What is the appropriate section?
>>>>>
>>>>> Sorry if this is a basic question, but I am working on improving my
>>>>> knowledge.
>>>>>
>>>>> On Tue, Aug 26, 2008 at 10:24 AM, Patrick Patterson
>>>>> <[EMAIL PROTECTED]> wrote:
>>>>>> Chris:
>>>>>>
>>>>>> On Tuesday 26 August 2008 12:58:22 Kyle Hamilton wrote:
>>>>>>> There is no ExtendedKeyUsage extension.
>>>>>>>
>>>>>>> To fix this, in your openssl.cnf file in section [usr_cert] there is a
>>>>>>> commented-out line that needs to be uncommented.
>>>>>>> # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
>>>>>>>
>>>>>>> Then generate a new certificate.
>>>>>>>
>>>>>> Actually - that will only set the keyUsage extension (Which you will
>>>>>> need) -
>>>>>> what you also want to set is to add a line to the appropriate section in
>>>>>> the
>>>>>> openssl.cnf file that you are using to generate the certificate below
>>>>>> that
>>>>>> that has:
>>>>>>
>>>>>> extendedKeyUsage = serverAuth,clientAuth
>>>>>>
>>>>>> And then regen the certificate.
>>>>>>
>>>>>> Have fun.
>>>>>>
>>>>>> Patrick.
>>>>>>
>>>>>>> -Kyle H
>>>>>>>
>>>>>>>
>>>>>>> On Tue, Aug 26, 2008 at 9:20 AM, Chris Zimmerman
>>>>>>>
>>>>>>> <[EMAIL PROTECTED]> wrote:
>>>>>>> > Here's the cert for the Watchguard:
>>>>>>> >
>>>>>>> > Certificate:
>>>>>>> > Data:
>>>>>>> > Version: 3 (0x2)
>>>>>>> > Serial Number: 15 (0xf)
>>>>>>> > Signature Algorithm: sha1WithRSAEncryption
>>>>>>> > Issuer: C=US, ST=TX, L=Somewhere, O=Company, OU=System,
>>>>>>> > CN=Company Root CA/[EMAIL PROTECTED]
>>>>>>> > Validity
>>>>>>> > Not Before: Aug 26 16:16:57 2008 GMT
>>>>>>> > Not After : Aug 24 16:16:57 2018 GMT
>>>>>>> > Subject: C=US, ST=TX, O=Company, OU=System, CN=WG
>>>>>>> > Subject Public Key Info:
>>>>>>> > Public Key Algorithm: rsaEncryption
>>>>>>> > RSA Public Key: (1024 bit)
>>>>>>> > Modulus (1024 bit):
>>>>>>> > 00:c2:83:76:81:24:5c:48:09:71:66:bb:22:37:05:
>>>>>>> > f3:8b:0b:f6:df:24:a0:ec:d8:65:ac:d5:77:7f:e0:
>>>>>>> > 91:f1:86:a4:00:23:17:c2:28:1f:81:e0:6d:e8:24:
>>>>>>> > e7:0a:bb:7e:a5:72:57:6d:65:cb:ec:7c:f1:d0:64:
>>>>>>> > 63:9f:0d:0c:b3:4c:c6:e4:3f:7c:f9:1f:53:6b:c0:
>>>>>>> > 47:3a:59:4d:87:37:e5:f6:4f:ef:75:20:5b:93:0b:
>>>>>>> > f9:8b:d7:4b:b7:4c:0c:e2:8c:2e:34:ad:23:3e:c6:
>>>>>>> > 89:1e:6f:3b:0d:52:25:69:d2:42:d3:de:cd:cd:e3:
>>>>>>> > ef:80:8a:e0:2d:1c:20:8f:6b
>>>>>>> > Exponent: 65537 (0x10001)
>>>>>>> > X509v3 extensions:
>>>>>>> > X509v3 Basic Constraints:
>>>>>>> > CA:FALSE
>>>>>>> > Netscape Comment:
>>>>>>> > OpenSSL Generated Certificate
>>>>>>> > X509v3 Subject Key Identifier:
>>>>>>> >
>>>>>>> > 3E:BB:9E:11:45:7B:F7:5E:BD:1D:F9:CE:A1:A9:E1:D7:7C:71:A5:FF X509v3
>>>>>>> > Authority Key Identifier:
>>>>>>> >
>>>>>>> > keyid:DB:E2:B6:28:36:12:83:63:B2:FA:87:E1:64:FB:44:F7:58:A0:8A:E8
>>>>>>> >
>>>>>>> > Signature Algorithm: sha1WithRSAEncryption
>>>>>>> > 7b:b7:d0:ca:42:96:24:6a:26:e1:a4:e1:45:91:d1:28:14:97:
>>>>>>> > e2:ea:dc:d6:59:97:73:ef:1a:5a:54:a4:33:fe:c2:0c:74:ca:
>>>>>>> > 6b:e4:85:4c:a0:9d:49:7a:1a:b0:fd:48:5c:6a:bc:de:44:53:
>>>>>>> > 73:23:bc:0f:ab:b6:cb:49:5a:53:2c:5c:d5:24:23:3b:e6:da:
>>>>>>> > 16:22:d4:db:1c:82:ac:7a:37:01:0f:a5:4e:24:92:2b:bc:2e:
>>>>>>> > 33:01:4d:5e:c3:7f:91:0f:3d:1d:ea:b8:8d:ad:38:ed:ab:44:
>>>>>>> > b7:2d:82:7b:c3:0d:2a:a2:21:8a:58:25:ac:c4:cb:f0:57:4e:
>>>>>>> > ed:ec
>>>>>>> >
>>>>>>> > On Tue, Aug 26, 2008 at 9:14 AM, Kyle Hamilton <[EMAIL PROTECTED]>
>>>>>>> > wrote:
>>>>>>> >> openssl x509 -in [filename] -noout -text -inform PEM
>>>>>>> >>
>>>>>>> >> -Kyle H
>>>>>>> >>
>>>>>>> >> On Tue, Aug 26, 2008 at 8:44 AM, Chris Zimmerman
>>>>>>> >>
>>>>>>> >> <[EMAIL PROTECTED]> wrote:
>>>>>>> >>> That command seems to have a syntax problem, showing: "unknown
>>>>>>> >>> option
>>>>>>> >>> [cert.pem-inserted my cert here]"
>>>>>>> >>>
>>>>>>> >>> On Mon, Aug 25, 2008 at 10:55 PM, Tim Hudson <[EMAIL PROTECTED]>
>>>>>>> >>> wrote:
>>>>>>> >>>> Chris Zimmerman wrote:
>>>>>>> >>>>> I am working to setup a Watchguard firewall with x509 certs for
>>>>>>> >>>>> VPN
>>>>>>> >>>>> tunnels. I have created my own CA on my laptop and I have
>>>>>>> >>>>> created a
>>>>>>> >>>>> CSR on the Watchguard product. I have then signed the CSR with
>>>>>>> >>>>> my CA
>>>>>>> >>>>> certificate successfully which then imports into the Watchguard.
>>>>>>> >>>>> Here's the problem: Watchguard requires that the cert be typed as
>>>>>>> >>>>> "Web" or "IPSec" if it is to be used for VPN tunnels. Everytime I
>>>>>>> >>>>> import my signed cert it shows up as a CA Cert type. I know this
>>>>>>> >>>>> is
>>>>>>> >>>>> an interop question, but has any got an idea of what to try to get
>>>>>>> >>>>> this working? I've been at this for days now with no success.
>>>>>>> >>>>
>>>>>>> >>>> Look a the various settings for basic constraints, key usage and
>>>>>>> >>>> extended key usage as controlled in openssl.cnf ... basically you
>>>>>>> >>>> need
>>>>>>> >>>> to set them to match what Watchguard wants.
>>>>>>> >>>>
>>>>>>> >>>> Perhaps you have the v3_ca stuff set.
>>>>>>> >>>>
>>>>>>> >>>> The output of
>>>>>>> >>>> openssl x509 -text -noout cert.pem
>>>>>>> >>>> will let me see what you have set in the way of those extensions.
>>>>>>> >>>>
>>>>>>> >>>> If you have a working certificate and a non-working one then
>>>>>>> >>>> comparing
>>>>>>> >>>> the text output should help show what the requirements are.
>>>>>>> >>>>
>>>>>>> >>>> Tim.
>>>>>>> >>>
>>>>>>> >>> ______________________________________________________________________
>>>>>>> >>> OpenSSL Project
>>>>>>> >>> http://www.openssl.org
>>>>>>> >>> User Support Mailing List
>>>>>>> >>> openssl-users@openssl.org
>>>>>>> >>> Automated List Manager [EMAIL PROTECTED]
>>>>>>> >>
>>>>>>> >> ______________________________________________________________________
>>>>>>> >> OpenSSL Project
>>>>>>> >> http://www.openssl.org
>>>>>>> >> User Support Mailing List
>>>>>>> >> openssl-users@openssl.org
>>>>>>> >> Automated List Manager [EMAIL PROTECTED]
>>>>>>> >
>>>>>>> > ______________________________________________________________________
>>>>>>> > OpenSSL Project http://www.openssl.org
>>>>>>> > User Support Mailing List openssl-users@openssl.org
>>>>>>> > Automated List Manager [EMAIL PROTECTED]
>>>>>>>
>>>>>>> ______________________________________________________________________
>>>>>>> OpenSSL Project http://www.openssl.org
>>>>>>> User Support Mailing List openssl-users@openssl.org
>>>>>>> Automated List Manager [EMAIL PROTECTED]
>>>>>> ______________________________________________________________________
>>>>>> OpenSSL Project http://www.openssl.org
>>>>>> User Support Mailing List openssl-users@openssl.org
>>>>>> Automated List Manager [EMAIL PROTECTED]
>>>>>>
>>>>> ______________________________________________________________________
>>>>> OpenSSL Project http://www.openssl.org
>>>>> User Support Mailing List openssl-users@openssl.org
>>>>> Automated List Manager [EMAIL PROTECTED]
>>>>>
>>>> ______________________________________________________________________
>>>> OpenSSL Project http://www.openssl.org
>>>> User Support Mailing List openssl-users@openssl.org
>>>> Automated List Manager [EMAIL PROTECTED]
>>>>
>>> ______________________________________________________________________
>>> OpenSSL Project http://www.openssl.org
>>> User Support Mailing List openssl-users@openssl.org
>>> Automated List Manager [EMAIL PROTECTED]
>>>
>> ______________________________________________________________________
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing List openssl-users@openssl.org
>> Automated List Manager [EMAIL PROTECTED]
>>
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
