[strongSwan] Using a real CA for win7 connectivity

Martin Willi martin at strongswan.org
Mon Jan 17 10:28:47 CET 2011

Hi Shane,

> So all that works when I use my own CA and import that CA
> as a trusted root on the Windows 7 client. But that's a lot
> of work so I wanted to get certified by a real CA. 

Small warning: A fresh Windows installation does not come with many CA
certificates, but these are fetched on demand (!) from a trusted
Microsoft service. This works fine in Internet Explorer, but CA
certificate fetching is disabled in IKE authentication. So your client
can't validate the server cert unless the CA is already in the store,
i.e. has visited a website in IE using the same CA before.

> My question is will they add those values required by Windows 7 for VPN
> use IE extendedKeyUsage serverauth and altsubjectname DNS:hostname.

This depends on the CA you are requesting these certificates from. These
are usually intended for SSL/TLS operation, so the serverAuth
extendedKeyUsage is most likely included.

> is altsubjectname even required if the cn is set to the server
> hostname?

Having the CN in the Distinguished Name set to the hostname
is insufficient in IKEv2, at least on the strongSwan side. Most CAs
include it, but there is no guarantee. You'll have to check that with
your provider.


More information about the Users mailing list