[strongSwan] CRL check and certificates extensions

Fabrice Barconnière fabrice.barconniere at ac-dijon.fr
Mon Jun 10 13:56:22 CEST 2013 

Hello,

I have a problem with certificate status verification from a CRL :
Jun 10 13:28:13 sphynx2.3 charon: 05[CFG]   using certificate "C=fr, 
O=gouv, OU=education, OU=ac-dijon, CN=0711321A-01"
Jun 10 13:28:13 sphynx2.3 charon: 05[CFG]   using trusted ca certificate 
"C=fr, O=gouv, CN=RACINE AGRIATES"
Jun 10 13:28:13 sphynx2.3 charon: 05[CFG] checking certificate status of 
"C=fr, O=gouv, OU=education, OU=ac-dijon, CN=0711321A-01"
Jun 10 13:28:13 sphynx2.3 charon: 05[CFG]   fetching crl from 
'http://crl1.igc.education.fr/agriates.crl' ...
Jun 10 13:28:13 sphynx2.3 charon: 05[CFG]   using trusted certificate 
"C=fr, O=gouv, CN=RACINE AGRIATES"
Jun 10 13:28:13 sphynx2.3 charon: 05[CFG] crl response verification failed
Jun 10 13:28:13 sphynx2.3 charon: 05[CFG]   fetching crl from 
'http://crl2.igc.education.fr/agriates.crl' ...
Jun 10 13:28:13 sphynx2.3 charon: 05[CFG]   using trusted certificate 
"C=fr, O=gouv, CN=RACINE AGRIATES"
Jun 10 13:28:13 sphynx2.3 charon: 05[CFG] crl response verification failed
Jun 10 13:28:14 sphynx2.3 charon: 05[CFG] certificate status is not 
available

Certificates are issued by an external PKI.

I've built my own PKI with "ipsec pki" tool and with the same 
configuration using this testing PKI, certificate status verification is OK.

The only difference i can see, is about certificates extensions.

External PKI :
* CA certificate extensions :
X509v3 extensions:
     Netscape Cert Type:
         SSL CA, S/MIME CA, Object Signing CA
     X509v3 Basic Constraints: critical
         CA:TRUE
     X509v3 Subject Key Identifier:
         7A:BC:B4:68:F8:B1:A2:32:44:C9:D0:EB:FD:9E:06:C2:56:01:2B:03
     X509v3 Key Usage: critical
         Digital Signature, Certificate Sign, CRL Sign
     X509v3 Authority Key Identifier:
keyid:7A:BC:B4:68:F8:B1:A2:32:44:C9:D0:EB:FD:9E:06:C2:56:01:2B:03

* CRL extensions:
     X509v3 Authority Key Identifier:
keyid:7A:BC:B4:68:F8:B1:A2:32:44:C9:D0:EB:FD:9E:06:C2:56:01:2B:03

     X509v3 CRL Number:
         15153

* End point Certificates extensions :
X509v3 extensions:
     X509v3 Key Usage: critical
         Digital Signature, Non Repudiation, Key Encipherment
     Netscape Cert Type:
         Object Signing
     X509v3 Authority Key Identifier:
keyid:7A:BC:B4:68:F8:B1:A2:32:44:C9:D0:EB:FD:9E:06:C2:56:01:2B:03

     X509v3 CRL Distribution Points:
         URI:http://crl1.igc.education.fr/agriates.crl
         URI:http://crl2.igc.education.fr/agriates.crl


My testing PKI:
* CA certificate extensions :
X509v3 extensions:
     X509v3 Basic Constraints: critical
         CA:TRUE
     X509v3 Key Usage: critical
         Certificate Sign, CRL Sign
     X509v3 Subject Key Identifier:
         1E:1E:EC:92:8B:D6:4D:0B:05:9E:40:DF:53:88:FC:8C:22:B3:13:8A
     X509v3 Authority Key Identifier:
keyid:1E:1E:EC:92:8B:D6:4D:0B:05:9E:40:DF:53:88:FC:8C:22:B3:13:8A

* End point certificates extensions :
X509v3 extensions:
     X509v3 Authority Key Identifier:
keyid:1E:1E:EC:92:8B:D6:4D:0B:05:9E:40:DF:53:88:FC:8C:22:B3:13:8A

     X509v3 CRL Distribution Points:
         URI:http://crl1.igc.education.fr/agriates.crl

* CRL Extensions :
    X509v3 Authority Key Identifier:
keyid:1E:1E:EC:92:8B:D6:4D:0B:05:9E:40:DF:53:88:FC:8C:22:B3:13:8A

     X509v3 CRL Number:
         1

With external PKI, we found "netscapeCertType" and "Digital Signature" 
extensions in the CA and the end point certificates and we found "Non 
Repudiation" and "Key Encipherment" in end point certificates.
I wonder if these extensions can be the reason of the CRL problem.

Regards,
Fabrice Barconnière
http://dev-eole.ac-dijon.fr

More information about the Users mailing list