[strongSwan] Checking X509 Extended Key Usage

Andreas Steffen andreas.steffen at strongswan.org
Wed Jun 20 10:43:49 CEST 2018

Hi Sven,

you can use certificate policies which are based on OIDs.

With swanctl.conf:

  remote {
    auth = pubkey
    cert_policy = <OID list>

or with ipsec.conf:

  rightcertpolicy=<OID list>

Best regards


On 20.06.2018 09:49, Sven Anders wrote:
> Hi Andreas,
> Am 19.06.2018 um 18:47 schrieb Andreas Steffen:
>> Hi Sven,
>> according to section "ExtendedKeyUsage" of RFC 4945
>> "The Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX"
>> the IPsec User EKU is deprecated:
>>    The CA SHOULD NOT include the ExtendedKeyUsage (EKU) extension in
>>    certificates for use with IKE.  Note that there were three IPsec-
>>    related object identifiers in EKU that were assigned in 1999.  The
>>    semantics of these values were never clearly defined.  The use of
>>    these three EKU values in IKE/IPsec is obsolete and explicitly
>>    deprecated by this specification.  CAs SHOULD NOT issue certificates
>>    for use in IKE with them.  (For historical reference only, those
>>    values were id-kp-ipsecEndSystem, id-kp-ipsecTunnel, and id-kp-
>>    ipsecUser.)
>> The only EKU flags our X.509 class supports are ocspSigning, ClientAuth,
>> and ServerAuth.
> yes I know, that "IPsec User" is deprecated (I expected this remark would
> come), but I used it as an example here. We want to use our own OIDs.
> Because the ExtendedKeyUsage is a just a list of OIDs and there are no
> restrictions I know of, we use this to differentiate between classes of
> certificates we issue.
> If this isn't supported, how can we use StrongSwan to distinguish between
> groups of certificates without using Sub-CAs?
> We cannot be the first with this requirement...
>> On 19.06.2018 18:22, Sven Anders wrote:
>>> We want to limit the usage of certificates by defining certain
>>> "Extended Key Usage" (EKU) flags to them.
>>> As an example, we want to set the "IPSec User" usage ( and
>>> only allow connection via IPSec, if it is set. We may use some other flags
>>> out of our own space too.
>>> How can I check in StrongSwan, if a certain EKU exists?
> Regards
>  Sven Anders
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Users mailing list