I suspect they won't know. This information was only obtained after they examined a certificate created in what they consider the "normal" means: by using their CA that comes with a Windows application they sell. It's basically just a MS CA. All of this was discovered when I complained LOUDLY that I would not install a MS server to create certificates. I did not, and still do not, want to expand the MS footprint at my shop, nor do I want any insecurities from doing so. I am working diligently to reduce the MS footprint.
On Mon, Sep 8, 2008 at 5:08 PM, Kyle Hamilton <[EMAIL PROTECTED]> wrote: > Because your vendor doesn't follow the latest ipsec specification, > which states that only keyUsage nonRepudiation,digitalSignature should > be required, and no extendedKeyUsage should be required. However, > looking at http://www.oid-info.com/cgi-bin/display?tree=1.3.6.1.5.5.8.2 > says that 1.3.6.1.5.5.8.2 is the ipsec OID tree, not pkix. > > If you could get them to point you to what they're using as the > Reference Which States They Must Require That OID, I would very much > appreciate knowing. (It's worth noting that Microsoft's ipsec > implementation in Windows Server 2008 doesn't appear to require this.) > > -Kyle H > > On Mon, Sep 8, 2008 at 2:29 PM, Chris Zimmerman > <[EMAIL PROTECTED]> wrote: >> Here's what I had to add to the config to get it to work (as listed by >> the vendor): >> >> [ new_oids ] >> pkixeku=1.3.6.1.5.5.8.2 >> ikeIntermediate=${pkixeku}.2 >> >> [ usr_cert ] >> keyUsage = nonRepudiation, digitalSignature, keyEncipherment >> extendedKeyUsage = serverAuth,clientAuth,ikeIntermediate >> >> Any thoughts on why this works? >> >> >> >> On Tue, Aug 26, 2008 at 2:50 PM, Chris Zimmerman >> <[EMAIL PROTECTED]> wrote: >>> Well, those attributes will work (minus the IKE one-it was not >>> recognized) but the Watchguard does not assign it with a type of >>> IPSec, so I've contacted Watchguard support to request the expected >>> extended attributes for this. I will post a reply as soon as I know. >>> >>> On Tue, Aug 26, 2008 at 1:41 PM, Kyle Hamilton <[EMAIL PROTECTED]> wrote: >>>> This is a bug, per RFC 4549. Please submit a report to your vendor. >>>> (The semantics of the OIDs were never well-defined, and they have been >>>> obsoleted -- according to RFC4549, having keyUsage=digitalSignature >>>> and no EKU should work for IPsec.) >>>> >>>> In the [new_oids] section, add new lines: >>>> >>>> pkixeku=1.3.6.1.5.5.7.3 >>>> ipsecendsystem=${pkixeku}.5 >>>> ipsectunnel=${pkixeku}.6 >>>> ipsecuser=${pkixeku}.7 >>>> >>>> and then in [usr_cert] change your extendedKeyUsage line to: >>>> >>>> extendedKeyUsage=serverAuth,clientAuth,ipsecIKE,ipsecendsystem,ipsectunnel,ipsecuser >>>> >>>> This /should/ do it, but since I don't do anything with IPsec I can't >>>> test it. My reference is >>>> http://www.alvestrand.no/objectid/1.3.6.1.5.5.7.3.html >>>> >>>> -Kyle H >>>> >>>> On Tue, Aug 26, 2008 at 1:17 PM, Chris Zimmerman >>>> <[EMAIL PROTECTED]> wrote: >>>>> Thanks to all of you in your assistance. With the recommended changes >>>>> to the openssl.cnf file, I have successfully signed the CSR from the >>>>> Watchguard box and imported it as a web cert (the Type that the >>>>> Watchguard box sees). However, in order to use it for VPN tunnels, >>>>> the device needs it to be a type IPSec. What is the extended key >>>>> usage setting for that? >>>>> >>>>> On Tue, Aug 26, 2008 at 10:41 AM, Kyle Hamilton <[EMAIL PROTECTED]> wrote: >>>>>> [usr_cert] is the appropriate section. >>>>>> >>>>>> This is above the [v3_req] section, at least in the vanilla 0.9.8h >>>>>> sources. >>>>>> >>>>>> -Kyle H >>>>>> >>>>>> On Tue, Aug 26, 2008 at 10:33 AM, Chris Zimmerman >>>>>> <[EMAIL PROTECTED]> wrote: >>>>>>> What is the appropriate section? >>>>>>> >>>>>>> Sorry if this is a basic question, but I am working on improving my >>>>>>> knowledge. >>>>>>> >>>>>>> On Tue, Aug 26, 2008 at 10:24 AM, Patrick Patterson >>>>>>> <[EMAIL PROTECTED]> wrote: >>>>>>>> Chris: >>>>>>>> >>>>>>>> On Tuesday 26 August 2008 12:58:22 Kyle Hamilton wrote: >>>>>>>>> There is no ExtendedKeyUsage extension. >>>>>>>>> >>>>>>>>> To fix this, in your openssl.cnf file in section [usr_cert] there is a >>>>>>>>> commented-out line that needs to be uncommented. >>>>>>>>> # keyUsage = nonRepudiation, digitalSignature, keyEncipherment >>>>>>>>> >>>>>>>>> Then generate a new certificate. >>>>>>>>> >>>>>>>> Actually - that will only set the keyUsage extension (Which you will >>>>>>>> need) - >>>>>>>> what you also want to set is to add a line to the appropriate section >>>>>>>> in the >>>>>>>> openssl.cnf file that you are using to generate the certificate below >>>>>>>> that >>>>>>>> that has: >>>>>>>> >>>>>>>> extendedKeyUsage = serverAuth,clientAuth >>>>>>>> >>>>>>>> And then regen the certificate. >>>>>>>> >>>>>>>> Have fun. >>>>>>>> >>>>>>>> Patrick. >>>>>>>> >>>>>>>>> -Kyle H >>>>>>>>> >>>>>>>>> >>>>>>>>> On Tue, Aug 26, 2008 at 9:20 AM, Chris Zimmerman >>>>>>>>> >>>>>>>>> <[EMAIL PROTECTED]> wrote: >>>>>>>>> > Here's the cert for the Watchguard: >>>>>>>>> > >>>>>>>>> > Certificate: >>>>>>>>> > Data: >>>>>>>>> > Version: 3 (0x2) >>>>>>>>> > Serial Number: 15 (0xf) >>>>>>>>> > Signature Algorithm: sha1WithRSAEncryption >>>>>>>>> > Issuer: C=US, ST=TX, L=Somewhere, O=Company, OU=System, >>>>>>>>> > CN=Company Root CA/[EMAIL PROTECTED] >>>>>>>>> > Validity >>>>>>>>> > Not Before: Aug 26 16:16:57 2008 GMT >>>>>>>>> > Not After : Aug 24 16:16:57 2018 GMT >>>>>>>>> > Subject: C=US, ST=TX, O=Company, OU=System, CN=WG >>>>>>>>> > Subject Public Key Info: >>>>>>>>> > Public Key Algorithm: rsaEncryption >>>>>>>>> > RSA Public Key: (1024 bit) >>>>>>>>> > Modulus (1024 bit): >>>>>>>>> > 00:c2:83:76:81:24:5c:48:09:71:66:bb:22:37:05: >>>>>>>>> > f3:8b:0b:f6:df:24:a0:ec:d8:65:ac:d5:77:7f:e0: >>>>>>>>> > 91:f1:86:a4:00:23:17:c2:28:1f:81:e0:6d:e8:24: >>>>>>>>> > e7:0a:bb:7e:a5:72:57:6d:65:cb:ec:7c:f1:d0:64: >>>>>>>>> > 63:9f:0d:0c:b3:4c:c6:e4:3f:7c:f9:1f:53:6b:c0: >>>>>>>>> > 47:3a:59:4d:87:37:e5:f6:4f:ef:75:20:5b:93:0b: >>>>>>>>> > f9:8b:d7:4b:b7:4c:0c:e2:8c:2e:34:ad:23:3e:c6: >>>>>>>>> > 89:1e:6f:3b:0d:52:25:69:d2:42:d3:de:cd:cd:e3: >>>>>>>>> > ef:80:8a:e0:2d:1c:20:8f:6b >>>>>>>>> > Exponent: 65537 (0x10001) >>>>>>>>> > X509v3 extensions: >>>>>>>>> > X509v3 Basic Constraints: >>>>>>>>> > CA:FALSE >>>>>>>>> > Netscape Comment: >>>>>>>>> > OpenSSL Generated Certificate >>>>>>>>> > X509v3 Subject Key Identifier: >>>>>>>>> > >>>>>>>>> > 3E:BB:9E:11:45:7B:F7:5E:BD:1D:F9:CE:A1:A9:E1:D7:7C:71:A5:FF X509v3 >>>>>>>>> > Authority Key Identifier: >>>>>>>>> > >>>>>>>>> > keyid:DB:E2:B6:28:36:12:83:63:B2:FA:87:E1:64:FB:44:F7:58:A0:8A:E8 >>>>>>>>> > >>>>>>>>> > Signature Algorithm: sha1WithRSAEncryption >>>>>>>>> > 7b:b7:d0:ca:42:96:24:6a:26:e1:a4:e1:45:91:d1:28:14:97: >>>>>>>>> > e2:ea:dc:d6:59:97:73:ef:1a:5a:54:a4:33:fe:c2:0c:74:ca: >>>>>>>>> > 6b:e4:85:4c:a0:9d:49:7a:1a:b0:fd:48:5c:6a:bc:de:44:53: >>>>>>>>> > 73:23:bc:0f:ab:b6:cb:49:5a:53:2c:5c:d5:24:23:3b:e6:da: >>>>>>>>> > 16:22:d4:db:1c:82:ac:7a:37:01:0f:a5:4e:24:92:2b:bc:2e: >>>>>>>>> > 33:01:4d:5e:c3:7f:91:0f:3d:1d:ea:b8:8d:ad:38:ed:ab:44: >>>>>>>>> > b7:2d:82:7b:c3:0d:2a:a2:21:8a:58:25:ac:c4:cb:f0:57:4e: >>>>>>>>> > ed:ec >>>>>>>>> > >>>>>>>>> > On Tue, Aug 26, 2008 at 9:14 AM, Kyle Hamilton <[EMAIL PROTECTED]> >>>>>>>>> > wrote: >>>>>>>>> >> openssl x509 -in [filename] -noout -text -inform PEM >>>>>>>>> >> >>>>>>>>> >> -Kyle H >>>>>>>>> >> >>>>>>>>> >> On Tue, Aug 26, 2008 at 8:44 AM, Chris Zimmerman >>>>>>>>> >> >>>>>>>>> >> <[EMAIL PROTECTED]> wrote: >>>>>>>>> >>> That command seems to have a syntax problem, showing: "unknown >>>>>>>>> >>> option >>>>>>>>> >>> [cert.pem-inserted my cert here]" >>>>>>>>> >>> >>>>>>>>> >>> On Mon, Aug 25, 2008 at 10:55 PM, Tim Hudson <[EMAIL PROTECTED]> >>>>>>>>> >>> wrote: >>>>>>>>> >>>> Chris Zimmerman wrote: >>>>>>>>> >>>>> I am working to setup a Watchguard firewall with x509 certs for >>>>>>>>> >>>>> VPN >>>>>>>>> >>>>> tunnels. I have created my own CA on my laptop and I have >>>>>>>>> >>>>> created a >>>>>>>>> >>>>> CSR on the Watchguard product. I have then signed the CSR with >>>>>>>>> >>>>> my CA >>>>>>>>> >>>>> certificate successfully which then imports into the Watchguard. >>>>>>>>> >>>>> Here's the problem: Watchguard requires that the cert be typed >>>>>>>>> >>>>> as >>>>>>>>> >>>>> "Web" or "IPSec" if it is to be used for VPN tunnels. >>>>>>>>> >>>>> Everytime I >>>>>>>>> >>>>> import my signed cert it shows up as a CA Cert type. I know >>>>>>>>> >>>>> this is >>>>>>>>> >>>>> an interop question, but has any got an idea of what to try to >>>>>>>>> >>>>> get >>>>>>>>> >>>>> this working? I've been at this for days now with no success. >>>>>>>>> >>>> >>>>>>>>> >>>> Look a the various settings for basic constraints, key usage and >>>>>>>>> >>>> extended key usage as controlled in openssl.cnf ... basically >>>>>>>>> >>>> you need >>>>>>>>> >>>> to set them to match what Watchguard wants. >>>>>>>>> >>>> >>>>>>>>> >>>> Perhaps you have the v3_ca stuff set. >>>>>>>>> >>>> >>>>>>>>> >>>> The output of >>>>>>>>> >>>> openssl x509 -text -noout cert.pem >>>>>>>>> >>>> will let me see what you have set in the way of those extensions. >>>>>>>>> >>>> >>>>>>>>> >>>> If you have a working certificate and a non-working one then >>>>>>>>> >>>> comparing >>>>>>>>> >>>> the text output should help show what the requirements are. >>>>>>>>> >>>> >>>>>>>>> >>>> Tim. >>>>>>>>> >>> >>>>>>>>> >>> ______________________________________________________________________ >>>>>>>>> >>> OpenSSL Project >>>>>>>>> >>> http://www.openssl.org >>>>>>>>> >>> User Support Mailing List >>>>>>>>> >>> openssl-users@openssl.org >>>>>>>>> >>> Automated List Manager [EMAIL PROTECTED] >>>>>>>>> >> >>>>>>>>> >> ______________________________________________________________________ >>>>>>>>> >> OpenSSL Project >>>>>>>>> >> http://www.openssl.org >>>>>>>>> >> User Support Mailing List >>>>>>>>> >> openssl-users@openssl.org >>>>>>>>> >> Automated List Manager [EMAIL PROTECTED] >>>>>>>>> > >>>>>>>>> > ______________________________________________________________________ >>>>>>>>> > OpenSSL Project >>>>>>>>> > http://www.openssl.org >>>>>>>>> > User Support Mailing List >>>>>>>>> > openssl-users@openssl.org >>>>>>>>> > Automated List Manager [EMAIL PROTECTED] >>>>>>>>> >>>>>>>>> ______________________________________________________________________ >>>>>>>>> OpenSSL Project http://www.openssl.org >>>>>>>>> User Support Mailing List openssl-users@openssl.org >>>>>>>>> Automated List Manager [EMAIL PROTECTED] >>>>>>>> ______________________________________________________________________ >>>>>>>> OpenSSL Project http://www.openssl.org >>>>>>>> User Support Mailing List openssl-users@openssl.org >>>>>>>> Automated List Manager [EMAIL PROTECTED] >>>>>>>> >>>>>>> ______________________________________________________________________ >>>>>>> OpenSSL Project http://www.openssl.org >>>>>>> User Support Mailing List openssl-users@openssl.org >>>>>>> Automated List Manager [EMAIL PROTECTED] >>>>>>> >>>>>> ______________________________________________________________________ >>>>>> OpenSSL Project http://www.openssl.org >>>>>> User Support Mailing List openssl-users@openssl.org >>>>>> Automated List Manager [EMAIL PROTECTED] >>>>>> >>>>> ______________________________________________________________________ >>>>> OpenSSL Project http://www.openssl.org >>>>> User Support Mailing List openssl-users@openssl.org >>>>> Automated List Manager [EMAIL PROTECTED] >>>>> >>>> ______________________________________________________________________ >>>> OpenSSL Project http://www.openssl.org >>>> User Support Mailing List openssl-users@openssl.org >>>> Automated List Manager [EMAIL PROTECTED] >>>> >>> >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager [EMAIL PROTECTED] >> > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
