[strongSwan] Checking X509 Extended Key Usage

Andreas Steffen andreas.steffen at strongswan.org
Tue Jun 19 18:47:39 CEST 2018

Hi Sven,

according to section "ExtendedKeyUsage" of RFC 4945
"The Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX"
the IPsec User EKU is deprecated:

   The CA SHOULD NOT include the ExtendedKeyUsage (EKU) extension in
   certificates for use with IKE.  Note that there were three IPsec-
   related object identifiers in EKU that were assigned in 1999.  The
   semantics of these values were never clearly defined.  The use of
   these three EKU values in IKE/IPsec is obsolete and explicitly
   deprecated by this specification.  CAs SHOULD NOT issue certificates
   for use in IKE with them.  (For historical reference only, those
   values were id-kp-ipsecEndSystem, id-kp-ipsecTunnel, and id-kp-

The only EKU flags our X.509 class supports are ocspSigning, ClientAuth,
and ServerAuth.

Best regards


On 19.06.2018 18:22, Sven Anders wrote:
> Hello!
> We want to limit the usage of certificates by defining certain
> "Extended Key Usage" (EKU) flags to them.
> As an example, we want to set the "IPSec User" usage ( and
> only allow connection via IPSec, if it is set. We may use some other flags
> out of our own space too.
> How can I check in StrongSwan, if a certain EKU exists?
> Regards
>  Sven Anders

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Users mailing list