Hi Sven,
> In your example scenario the CA has the policy set too.
> I'm a bit unsure if this is necessary, because a RFC 5280 in section
> 4.2.1.4 (Certificate Policies) states:
>
> "When a CA does not wish to limit the set of policies for certification
> paths that include this certificate,
Hello Andreas,
I'm getting closer by using certificate policies instead of the EKUs.
In your example scenario the CA has the policy set too.
I'm a bit unsure if this is necessary, because a RFC 5280 in section
4.2.1.4 (Certificate Policies) states:
"When a CA does not wish to limit the set of
Hi Sven,
the certificate policy must be contained in all certificates
of the X.509 trust chain. See the following example scenario:
https://www.strongswan.org/testing/testresults5dr/swanctl/rw-ed25519-certpol/
Regards
Andreas
On 20.06.2018 13:41, Sven Anders wrote:
> Am 20.06.2018 um 10:43
Am 20.06.2018 um 10:43 schrieb Andreas Steffen:
> Hi Sven,
>
> you can use certificate policies which are based on OIDs.
>
> With swanctl.conf:
>
> remote {
> auth = pubkey
> cert_policy =
> ...
> }
>
> or with ipsec.conf:
>
> rightcertpolicy=
Thanks for pointing me to the
Hi Sven,
you can use certificate policies which are based on OIDs.
With swanctl.conf:
remote {
auth = pubkey
cert_policy =
...
}
or with ipsec.conf:
rightcertpolicy=
Best regards
Andreas
On 20.06.2018 09:49, Sven Anders wrote:
> Hi Andreas,
>
> Am 19.06.2018 um 18:47
Hi Andreas,
Am 19.06.2018 um 18:47 schrieb Andreas Steffen:
> Hi Sven,
>
> according to section 5.1.3.12. "ExtendedKeyUsage" of RFC 4945
> "The Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX"
> the IPsec User EKU is deprecated:
>
>The CA SHOULD NOT include the
Hi Sven,
according to section 5.1.3.12. "ExtendedKeyUsage" of RFC 4945
"The Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX"
the IPsec User EKU is deprecated:
The CA SHOULD NOT include the ExtendedKeyUsage (EKU) extension in
certificates for use with IKE. Note that there
Hello!
We want to limit the usage of certificates by defining certain
"Extended Key Usage" (EKU) flags to them.
As an example, we want to set the "IPSec User" usage (1.3.6.1.5.5.7.3.7) and
only allow connection via IPSec, if it is set. We may use some other flags
out of our own space too.
How