[strongSwan] Checking X509 Extended Key Usage

Sven Anders anders at anduras.de
Wed Jun 20 09:49:49 CEST 2018

Hi Andreas,

Am 19.06.2018 um 18:47 schrieb Andreas Steffen:
> Hi Sven,
> according to section "ExtendedKeyUsage" of RFC 4945
> "The Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX"
> the IPsec User EKU is deprecated:
>    The CA SHOULD NOT include the ExtendedKeyUsage (EKU) extension in
>    certificates for use with IKE.  Note that there were three IPsec-
>    related object identifiers in EKU that were assigned in 1999.  The
>    semantics of these values were never clearly defined.  The use of
>    these three EKU values in IKE/IPsec is obsolete and explicitly
>    deprecated by this specification.  CAs SHOULD NOT issue certificates
>    for use in IKE with them.  (For historical reference only, those
>    values were id-kp-ipsecEndSystem, id-kp-ipsecTunnel, and id-kp-
>    ipsecUser.)
> The only EKU flags our X.509 class supports are ocspSigning, ClientAuth,
> and ServerAuth.

yes I know, that "IPsec User" is deprecated (I expected this remark would
come), but I used it as an example here. We want to use our own OIDs.

Because the ExtendedKeyUsage is a just a list of OIDs and there are no
restrictions I know of, we use this to differentiate between classes of
certificates we issue.

If this isn't supported, how can we use StrongSwan to distinguish between
groups of certificates without using Sub-CAs?
We cannot be the first with this requirement...

> On 19.06.2018 18:22, Sven Anders wrote:
>> We want to limit the usage of certificates by defining certain
>> "Extended Key Usage" (EKU) flags to them.
>> As an example, we want to set the "IPSec User" usage ( and
>> only allow connection via IPSec, if it is set. We may use some other flags
>> out of our own space too.
>> How can I check in StrongSwan, if a certain EKU exists?

 Sven Anders

 Sven Anders <anders at anduras.de>                 () UTF-8 Ribbon Campaign
                                                 /\ Support plain text e-mail
 ANDURAS intranet security AG
 Messestrasse 3 - 94036 Passau - Germany
 Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 50-55

Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety.
  - Benjamin Franklin

More information about the Users mailing list