[strongSwan] Checking X509 Extended Key Usage
Andreas Steffen
andreas.steffen at strongswan.org
Tue Jun 19 18:47:39 CEST 2018
Hi Sven,
according to section 5.1.3.12. "ExtendedKeyUsage" of RFC 4945
"The Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX"
the IPsec User EKU is deprecated:
The CA SHOULD NOT include the ExtendedKeyUsage (EKU) extension in
certificates for use with IKE. Note that there were three IPsec-
related object identifiers in EKU that were assigned in 1999. The
semantics of these values were never clearly defined. The use of
these three EKU values in IKE/IPsec is obsolete and explicitly
deprecated by this specification. CAs SHOULD NOT issue certificates
for use in IKE with them. (For historical reference only, those
values were id-kp-ipsecEndSystem, id-kp-ipsecTunnel, and id-kp-
ipsecUser.)
The only EKU flags our X.509 class supports are ocspSigning, ClientAuth,
and ServerAuth.
Best regards
Andreas
On 19.06.2018 18:22, Sven Anders wrote:
> Hello!
>
> We want to limit the usage of certificates by defining certain
> "Extended Key Usage" (EKU) flags to them.
>
> As an example, we want to set the "IPSec User" usage (1.3.6.1.5.5.7.3.7) and
> only allow connection via IPSec, if it is set. We may use some other flags
> out of our own space too.
>
> How can I check in StrongSwan, if a certain EKU exists?
>
> Regards
> Sven Anders
>
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==
More information about the Users
mailing list