Because your vendor doesn't follow the latest ipsec specification,
which states that only keyUsage nonRepudiation,digitalSignature should
be required, and no extendedKeyUsage should be required. However,
looking at http://www.oid-info.com/cgi-bin/display?tree=1.3.6.1.5.5.8.2
says that 1.3.6.1.5.5.8.2 is the ipsec OID tree, not pkix.
If you could get them to point you to what they're using as the
Reference Which States They Must Require That OID, I would very much
appreciate knowing. (It's worth noting that Microsoft's ipsec
implementation in Windows Server 2008 doesn't appear to require this.)
-Kyle H
On Mon, Sep 8, 2008 at 2:29 PM, Chris Zimmerman
<[EMAIL PROTECTED]> wrote:
> Here's what I had to add to the config to get it to work (as listed by
> the vendor):
>
> [ new_oids ]
> pkixeku=1.3.6.1.5.5.8.2
> ikeIntermediate=${pkixeku}.2
>
> [ usr_cert ]
> keyUsage = nonRepudiation, digitalSignature, keyEncipherment
> extendedKeyUsage = serverAuth,clientAuth,ikeIntermediate
>
> Any thoughts on why this works?
>
>
>
> On Tue, Aug 26, 2008 at 2:50 PM, Chris Zimmerman
> <[EMAIL PROTECTED]> wrote:
>> Well, those attributes will work (minus the IKE one-it was not
>> recognized) but the Watchguard does not assign it with a type of
>> IPSec, so I've contacted Watchguard support to request the expected
>> extended attributes for this. I will post a reply as soon as I know.
>>
>> On Tue, Aug 26, 2008 at 1:41 PM, Kyle Hamilton <[EMAIL PROTECTED]> wrote:
>>> This is a bug, per RFC 4549. Please submit a report to your vendor.
>>> (The semantics of the OIDs were never well-defined, and they have been
>>> obsoleted -- according to RFC4549, having keyUsage=digitalSignature
>>> and no EKU should work for IPsec.)
>>>
>>> In the [new_oids] section, add new lines:
>>>
>>> pkixeku=1.3.6.1.5.5.7.3
>>> ipsecendsystem=${pkixeku}.5
>>> ipsectunnel=${pkixeku}.6
>>> ipsecuser=${pkixeku}.7
>>>
>>> and then in [usr_cert] change your extendedKeyUsage line to:
>>>
>>> extendedKeyUsage=serverAuth,clientAuth,ipsecIKE,ipsecendsystem,ipsectunnel,ipsecuser
>>>
>>> This /should/ do it, but since I don't do anything with IPsec I can't
>>> test it. My reference is
>>> http://www.alvestrand.no/objectid/1.3.6.1.5.5.7.3.html
>>>
>>> -Kyle H
>>>
>>> On Tue, Aug 26, 2008 at 1:17 PM, Chris Zimmerman
>>> <[EMAIL PROTECTED]> wrote:
>>>> Thanks to all of you in your assistance. With the recommended changes
>>>> to the openssl.cnf file, I have successfully signed the CSR from the
>>>> Watchguard box and imported it as a web cert (the Type that the
>>>> Watchguard box sees). However, in order to use it for VPN tunnels,
>>>> the device needs it to be a type IPSec. What is the extended key
>>>> usage setting for that?
>>>>
>>>> On Tue, Aug 26, 2008 at 10:41 AM, Kyle Hamilton <[EMAIL PROTECTED]> wrote:
>>>>> [usr_cert] is the appropriate section.
>>>>>
>>>>> This is above the [v3_req] section, at least in the vanilla 0.9.8h
>>>>> sources.
>>>>>
>>>>> -Kyle H
>>>>>
>>>>> On Tue, Aug 26, 2008 at 10:33 AM, Chris Zimmerman
>>>>> <[EMAIL PROTECTED]> wrote:
>>>>>> What is the appropriate section?
>>>>>>
>>>>>> Sorry if this is a basic question, but I am working on improving my
>>>>>> knowledge.
>>>>>>
>>>>>> On Tue, Aug 26, 2008 at 10:24 AM, Patrick Patterson
>>>>>> <[EMAIL PROTECTED]> wrote:
>>>>>>> Chris:
>>>>>>>
>>>>>>> On Tuesday 26 August 2008 12:58:22 Kyle Hamilton wrote:
>>>>>>>> There is no ExtendedKeyUsage extension.
>>>>>>>>
>>>>>>>> To fix this, in your openssl.cnf file in section [usr_cert] there is a
>>>>>>>> commented-out line that needs to be uncommented.
>>>>>>>> # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
>>>>>>>>
>>>>>>>> Then generate a new certificate.
>>>>>>>>
>>>>>>> Actually - that will only set the keyUsage extension (Which you will
>>>>>>> need) -
>>>>>>> what you also want to set is to add a line to the appropriate section
>>>>>>> in the
>>>>>>> openssl.cnf file that you are using to generate the certificate below
>>>>>>> that
>>>>>>> that has:
>>>>>>>
>>>>>>> extendedKeyUsage = serverAuth,clientAuth
>>>>>>>
>>>>>>> And then regen the certificate.
>>>>>>>
>>>>>>> Have fun.
>>>>>>>
>>>>>>> Patrick.
>>>>>>>
>>>>>>>> -Kyle H
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tue, Aug 26, 2008 at 9:20 AM, Chris Zimmerman
>>>>>>>>
>>>>>>>> <[EMAIL PROTECTED]> wrote:
>>>>>>>> > Here's the cert for the Watchguard:
>>>>>>>> >
>>>>>>>> > Certificate:
>>>>>>>> > Data:
>>>>>>>> > Version: 3 (0x2)
>>>>>>>> > Serial Number: 15 (0xf)
>>>>>>>> > Signature Algorithm: sha1WithRSAEncryption
>>>>>>>> > Issuer: C=US, ST=TX, L=Somewhere, O=Company, OU=System,
>>>>>>>> > CN=Company Root CA/[EMAIL PROTECTED]
>>>>>>>> > Validity
>>>>>>>> > Not Before: Aug 26 16:16:57 2008 GMT
>>>>>>>> > Not After : Aug 24 16:16:57 2018 GMT
>>>>>>>> > Subject: C=US, ST=TX, O=Company, OU=System, CN=WG
>>>>>>>> > Subject Public Key Info:
>>>>>>>> > Public Key Algorithm: rsaEncryption
>>>>>>>> > RSA Public Key: (1024 bit)
>>>>>>>> > Modulus (1024 bit):
>>>>>>>> > 00:c2:83:76:81:24:5c:48:09:71:66:bb:22:37:05:
>>>>>>>> > f3:8b:0b:f6:df:24:a0:ec:d8:65:ac:d5:77:7f:e0:
>>>>>>>> > 91:f1:86:a4:00:23:17:c2:28:1f:81:e0:6d:e8:24:
>>>>>>>> > e7:0a:bb:7e:a5:72:57:6d:65:cb:ec:7c:f1:d0:64:
>>>>>>>> > 63:9f:0d:0c:b3:4c:c6:e4:3f:7c:f9:1f:53:6b:c0:
>>>>>>>> > 47:3a:59:4d:87:37:e5:f6:4f:ef:75:20:5b:93:0b:
>>>>>>>> > f9:8b:d7:4b:b7:4c:0c:e2:8c:2e:34:ad:23:3e:c6:
>>>>>>>> > 89:1e:6f:3b:0d:52:25:69:d2:42:d3:de:cd:cd:e3:
>>>>>>>> > ef:80:8a:e0:2d:1c:20:8f:6b
>>>>>>>> > Exponent: 65537 (0x10001)
>>>>>>>> > X509v3 extensions:
>>>>>>>> > X509v3 Basic Constraints:
>>>>>>>> > CA:FALSE
>>>>>>>> > Netscape Comment:
>>>>>>>> > OpenSSL Generated Certificate
>>>>>>>> > X509v3 Subject Key Identifier:
>>>>>>>> >
>>>>>>>> > 3E:BB:9E:11:45:7B:F7:5E:BD:1D:F9:CE:A1:A9:E1:D7:7C:71:A5:FF X509v3
>>>>>>>> > Authority Key Identifier:
>>>>>>>> >
>>>>>>>> > keyid:DB:E2:B6:28:36:12:83:63:B2:FA:87:E1:64:FB:44:F7:58:A0:8A:E8
>>>>>>>> >
>>>>>>>> > Signature Algorithm: sha1WithRSAEncryption
>>>>>>>> > 7b:b7:d0:ca:42:96:24:6a:26:e1:a4:e1:45:91:d1:28:14:97:
>>>>>>>> > e2:ea:dc:d6:59:97:73:ef:1a:5a:54:a4:33:fe:c2:0c:74:ca:
>>>>>>>> > 6b:e4:85:4c:a0:9d:49:7a:1a:b0:fd:48:5c:6a:bc:de:44:53:
>>>>>>>> > 73:23:bc:0f:ab:b6:cb:49:5a:53:2c:5c:d5:24:23:3b:e6:da:
>>>>>>>> > 16:22:d4:db:1c:82:ac:7a:37:01:0f:a5:4e:24:92:2b:bc:2e:
>>>>>>>> > 33:01:4d:5e:c3:7f:91:0f:3d:1d:ea:b8:8d:ad:38:ed:ab:44:
>>>>>>>> > b7:2d:82:7b:c3:0d:2a:a2:21:8a:58:25:ac:c4:cb:f0:57:4e:
>>>>>>>> > ed:ec
>>>>>>>> >
>>>>>>>> > On Tue, Aug 26, 2008 at 9:14 AM, Kyle Hamilton <[EMAIL PROTECTED]>
>>>>>>>> > wrote:
>>>>>>>> >> openssl x509 -in [filename] -noout -text -inform PEM
>>>>>>>> >>
>>>>>>>> >> -Kyle H
>>>>>>>> >>
>>>>>>>> >> On Tue, Aug 26, 2008 at 8:44 AM, Chris Zimmerman
>>>>>>>> >>
>>>>>>>> >> <[EMAIL PROTECTED]> wrote:
>>>>>>>> >>> That command seems to have a syntax problem, showing: "unknown
>>>>>>>> >>> option
>>>>>>>> >>> [cert.pem-inserted my cert here]"
>>>>>>>> >>>
>>>>>>>> >>> On Mon, Aug 25, 2008 at 10:55 PM, Tim Hudson <[EMAIL PROTECTED]>
>>>>>>>> >>> wrote:
>>>>>>>> >>>> Chris Zimmerman wrote:
>>>>>>>> >>>>> I am working to setup a Watchguard firewall with x509 certs for
>>>>>>>> >>>>> VPN
>>>>>>>> >>>>> tunnels. I have created my own CA on my laptop and I have
>>>>>>>> >>>>> created a
>>>>>>>> >>>>> CSR on the Watchguard product. I have then signed the CSR with
>>>>>>>> >>>>> my CA
>>>>>>>> >>>>> certificate successfully which then imports into the Watchguard.
>>>>>>>> >>>>> Here's the problem: Watchguard requires that the cert be typed as
>>>>>>>> >>>>> "Web" or "IPSec" if it is to be used for VPN tunnels. Everytime
>>>>>>>> >>>>> I
>>>>>>>> >>>>> import my signed cert it shows up as a CA Cert type. I know
>>>>>>>> >>>>> this is
>>>>>>>> >>>>> an interop question, but has any got an idea of what to try to
>>>>>>>> >>>>> get
>>>>>>>> >>>>> this working? I've been at this for days now with no success.
>>>>>>>> >>>>
>>>>>>>> >>>> Look a the various settings for basic constraints, key usage and
>>>>>>>> >>>> extended key usage as controlled in openssl.cnf ... basically you
>>>>>>>> >>>> need
>>>>>>>> >>>> to set them to match what Watchguard wants.
>>>>>>>> >>>>
>>>>>>>> >>>> Perhaps you have the v3_ca stuff set.
>>>>>>>> >>>>
>>>>>>>> >>>> The output of
>>>>>>>> >>>> openssl x509 -text -noout cert.pem
>>>>>>>> >>>> will let me see what you have set in the way of those extensions.
>>>>>>>> >>>>
>>>>>>>> >>>> If you have a working certificate and a non-working one then
>>>>>>>> >>>> comparing
>>>>>>>> >>>> the text output should help show what the requirements are.
>>>>>>>> >>>>
>>>>>>>> >>>> Tim.
>>>>>>>> >>>
>>>>>>>> >>> ______________________________________________________________________
>>>>>>>> >>> OpenSSL Project
>>>>>>>> >>> http://www.openssl.org
>>>>>>>> >>> User Support Mailing List
>>>>>>>> >>> openssl-users@openssl.org
>>>>>>>> >>> Automated List Manager [EMAIL PROTECTED]
>>>>>>>> >>
>>>>>>>> >> ______________________________________________________________________
>>>>>>>> >> OpenSSL Project
>>>>>>>> >> http://www.openssl.org
>>>>>>>> >> User Support Mailing List
>>>>>>>> >> openssl-users@openssl.org
>>>>>>>> >> Automated List Manager [EMAIL PROTECTED]
>>>>>>>> >
>>>>>>>> > ______________________________________________________________________
>>>>>>>> > OpenSSL Project
>>>>>>>> > http://www.openssl.org
>>>>>>>> > User Support Mailing List
>>>>>>>> > openssl-users@openssl.org
>>>>>>>> > Automated List Manager [EMAIL PROTECTED]
>>>>>>>>
>>>>>>>> ______________________________________________________________________
>>>>>>>> OpenSSL Project http://www.openssl.org
>>>>>>>> User Support Mailing List openssl-users@openssl.org
>>>>>>>> Automated List Manager [EMAIL PROTECTED]
>>>>>>> ______________________________________________________________________
>>>>>>> OpenSSL Project http://www.openssl.org
>>>>>>> User Support Mailing List openssl-users@openssl.org
>>>>>>> Automated List Manager [EMAIL PROTECTED]
>>>>>>>
>>>>>> ______________________________________________________________________
>>>>>> OpenSSL Project http://www.openssl.org
>>>>>> User Support Mailing List openssl-users@openssl.org
>>>>>> Automated List Manager [EMAIL PROTECTED]
>>>>>>
>>>>> ______________________________________________________________________
>>>>> OpenSSL Project http://www.openssl.org
>>>>> User Support Mailing List openssl-users@openssl.org
>>>>> Automated List Manager [EMAIL PROTECTED]
>>>>>
>>>> ______________________________________________________________________
>>>> OpenSSL Project http://www.openssl.org
>>>> User Support Mailing List openssl-users@openssl.org
>>>> Automated List Manager [EMAIL PROTECTED]
>>>>
>>> ______________________________________________________________________
>>> OpenSSL Project http://www.openssl.org
>>> User Support Mailing List openssl-users@openssl.org
>>> Automated List Manager [EMAIL PROTECTED]
>>>
>>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
