[strongSwan] CRL check and certificates extensions

Andreas Steffen andreas.steffen at strongswan.org
Mon Jun 10 17:14:39 CEST 2013 

Hello Fabrice,

I downloaded the CRL but was unable to get the RACINE AGRIATEE CA
certificate. Could you send it to me so I can do some test for myself.

Kind regards

Andreas

On 06/10/2013 01:56 PM, Fabrice Barconnière wrote:
> Hello,
> 
> I have a problem with certificate status verification from a CRL :
> Jun 10 13:28:13 sphynx2.3 charon: 05[CFG]   using certificate "C=fr, 
> O=gouv, OU=education, OU=ac-dijon, CN=0711321A-01"
> Jun 10 13:28:13 sphynx2.3 charon: 05[CFG]   using trusted ca certificate 
> "C=fr, O=gouv, CN=RACINE AGRIATES"
> Jun 10 13:28:13 sphynx2.3 charon: 05[CFG] checking certificate status of 
> "C=fr, O=gouv, OU=education, OU=ac-dijon, CN=0711321A-01"
> Jun 10 13:28:13 sphynx2.3 charon: 05[CFG]   fetching crl from 
> 'http://crl1.igc.education.fr/agriates.crl' ...
> Jun 10 13:28:13 sphynx2.3 charon: 05[CFG]   using trusted certificate 
> "C=fr, O=gouv, CN=RACINE AGRIATES"
> Jun 10 13:28:13 sphynx2.3 charon: 05[CFG] crl response verification failed
> Jun 10 13:28:13 sphynx2.3 charon: 05[CFG]   fetching crl from 
> 'http://crl2.igc.education.fr/agriates.crl' ...
> Jun 10 13:28:13 sphynx2.3 charon: 05[CFG]   using trusted certificate 
> "C=fr, O=gouv, CN=RACINE AGRIATES"
> Jun 10 13:28:13 sphynx2.3 charon: 05[CFG] crl response verification failed
> Jun 10 13:28:14 sphynx2.3 charon: 05[CFG] certificate status is not 
> available
> 
> Certificates are issued by an external PKI.
> 
> I've built my own PKI with "ipsec pki" tool and with the same 
> configuration using this testing PKI, certificate status verification is OK.
> 
> The only difference i can see, is about certificates extensions.
> 
> External PKI :
> * CA certificate extensions :
> X509v3 extensions:
>      Netscape Cert Type:
>          SSL CA, S/MIME CA, Object Signing CA
>      X509v3 Basic Constraints: critical
>          CA:TRUE
>      X509v3 Subject Key Identifier:
>          7A:BC:B4:68:F8:B1:A2:32:44:C9:D0:EB:FD:9E:06:C2:56:01:2B:03
>      X509v3 Key Usage: critical
>          Digital Signature, Certificate Sign, CRL Sign
>      X509v3 Authority Key Identifier:
> keyid:7A:BC:B4:68:F8:B1:A2:32:44:C9:D0:EB:FD:9E:06:C2:56:01:2B:03
> 
> * CRL extensions:
>      X509v3 Authority Key Identifier:
> keyid:7A:BC:B4:68:F8:B1:A2:32:44:C9:D0:EB:FD:9E:06:C2:56:01:2B:03
> 
>      X509v3 CRL Number:
>          15153
> 
> * End point Certificates extensions :
> X509v3 extensions:
>      X509v3 Key Usage: critical
>          Digital Signature, Non Repudiation, Key Encipherment
>      Netscape Cert Type:
>          Object Signing
>      X509v3 Authority Key Identifier:
> keyid:7A:BC:B4:68:F8:B1:A2:32:44:C9:D0:EB:FD:9E:06:C2:56:01:2B:03
> 
>      X509v3 CRL Distribution Points:
>          URI:http://crl1.igc.education.fr/agriates.crl
>          URI:http://crl2.igc.education.fr/agriates.crl
> 
> 
> My testing PKI:
> * CA certificate extensions :
> X509v3 extensions:
>      X509v3 Basic Constraints: critical
>          CA:TRUE
>      X509v3 Key Usage: critical
>          Certificate Sign, CRL Sign
>      X509v3 Subject Key Identifier:
>          1E:1E:EC:92:8B:D6:4D:0B:05:9E:40:DF:53:88:FC:8C:22:B3:13:8A
>      X509v3 Authority Key Identifier:
> keyid:1E:1E:EC:92:8B:D6:4D:0B:05:9E:40:DF:53:88:FC:8C:22:B3:13:8A
> 
> * End point certificates extensions :
> X509v3 extensions:
>      X509v3 Authority Key Identifier:
> keyid:1E:1E:EC:92:8B:D6:4D:0B:05:9E:40:DF:53:88:FC:8C:22:B3:13:8A
> 
>      X509v3 CRL Distribution Points:
>          URI:http://crl1.igc.education.fr/agriates.crl
> 
> * CRL Extensions :
>     X509v3 Authority Key Identifier:
> keyid:1E:1E:EC:92:8B:D6:4D:0B:05:9E:40:DF:53:88:FC:8C:22:B3:13:8A
> 
>      X509v3 CRL Number:
>          1
> 
> With external PKI, we found "netscapeCertType" and "Digital Signature" 
> extensions in the CA and the end point certificates and we found "Non 
> Repudiation" and "Key Encipherment" in end point certificates.
> I wonder if these extensions can be the reason of the CRL problem.
> 
> Regards,
> Fabrice Barconnière
> http://dev-eole.ac-dijon.fr
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130610/fda97b8a/attachment.bin>

More information about the Users mailing list