Hi Andreas, Am 19.06.2018 um 18:47 schrieb Andreas Steffen: > Hi Sven, > > according to section 5.1.3.12. "ExtendedKeyUsage" of RFC 4945 > "The Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX" > the IPsec User EKU is deprecated: > > The CA SHOULD NOT include the ExtendedKeyUsage (EKU) extension in > certificates for use with IKE. Note that there were three IPsec- > related object identifiers in EKU that were assigned in 1999. The > semantics of these values were never clearly defined. The use of > these three EKU values in IKE/IPsec is obsolete and explicitly > deprecated by this specification. CAs SHOULD NOT issue certificates > for use in IKE with them. (For historical reference only, those > values were id-kp-ipsecEndSystem, id-kp-ipsecTunnel, and id-kp- > ipsecUser.) > > The only EKU flags our X.509 class supports are ocspSigning, ClientAuth, > and ServerAuth.
yes I know, that "IPsec User" is deprecated (I expected this remark would come), but I used it as an example here. We want to use our own OIDs. Because the ExtendedKeyUsage is a just a list of OIDs and there are no restrictions I know of, we use this to differentiate between classes of certificates we issue. If this isn't supported, how can we use StrongSwan to distinguish between groups of certificates without using Sub-CAs? We cannot be the first with this requirement... > On 19.06.2018 18:22, Sven Anders wrote: >> >> We want to limit the usage of certificates by defining certain >> "Extended Key Usage" (EKU) flags to them. >> >> As an example, we want to set the "IPSec User" usage (1.3.6.1.5.5.7.3.7) and >> only allow connection via IPSec, if it is set. We may use some other flags >> out of our own space too. >> >> How can I check in StrongSwan, if a certain EKU exists? Regards Sven Anders -- Sven Anders <and...@anduras.de> () UTF-8 Ribbon Campaign /\ Support plain text e-mail ANDURAS intranet security AG Messestrasse 3 - 94036 Passau - Germany Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 50-55 Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. - Benjamin Franklin