Hi Chris:
Chris Zimmerman wrote:
> Thanks to all of you in your assistance. With the recommended changes
> to the openssl.cnf file, I have successfully signed the CSR from the
> Watchguard box and imported it as a web cert (the Type that the
> Watchguard box sees). However, in order to use it for VPN tunnels,
> the device needs it to be a type IPSec. What is the extended key
> usage setting for that?
>
(Just as a future hint - "ipsec extendedKeyUsage" into google pulls up
the relevant information :)
However, as I said in my first mail to you on this topic, you'll have to
see whether it wants one of:
ipsecTunnel
ipsecEndSystem
ipsecUser
Also, as I said in my other mail, I'm not sure if OpenSSL supports these.
So, if they are not supported, you'll have to use the [OIDs] section in
the openssl.cnf file to define them ('man config' will tell you how to
do this), and then look up the extension OID values in the right RFC
(the above mentioned search will help you track that down), put the
name/OID pairs in there, and then define the correct value in the
extendedKeyUsage entry.
Have fun.
Patrick
> On Tue, Aug 26, 2008 at 10:41 AM, Kyle Hamilton <[EMAIL PROTECTED]> wrote:
>> [usr_cert] is the appropriate section.
>>
>> This is above the [v3_req] section, at least in the vanilla 0.9.8h sources.
>>
>> -Kyle H
>>
>> On Tue, Aug 26, 2008 at 10:33 AM, Chris Zimmerman
>> <[EMAIL PROTECTED]> wrote:
>>> What is the appropriate section?
>>>
>>> Sorry if this is a basic question, but I am working on improving my
>>> knowledge.
>>>
>>> On Tue, Aug 26, 2008 at 10:24 AM, Patrick Patterson
>>> <[EMAIL PROTECTED]> wrote:
>>>> Chris:
>>>>
>>>> On Tuesday 26 August 2008 12:58:22 Kyle Hamilton wrote:
>>>>> There is no ExtendedKeyUsage extension.
>>>>>
>>>>> To fix this, in your openssl.cnf file in section [usr_cert] there is a
>>>>> commented-out line that needs to be uncommented.
>>>>> # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
>>>>>
>>>>> Then generate a new certificate.
>>>>>
>>>> Actually - that will only set the keyUsage extension (Which you will need)
>>>> -
>>>> what you also want to set is to add a line to the appropriate section in
>>>> the
>>>> openssl.cnf file that you are using to generate the certificate below that
>>>> that has:
>>>>
>>>> extendedKeyUsage = serverAuth,clientAuth
>>>>
>>>> And then regen the certificate.
>>>>
>>>> Have fun.
>>>>
>>>> Patrick.
>>>>
>>>>> -Kyle H
>>>>>
>>>>>
>>>>> On Tue, Aug 26, 2008 at 9:20 AM, Chris Zimmerman
>>>>>
>>>>> <[EMAIL PROTECTED]> wrote:
>>>>>> Here's the cert for the Watchguard:
>>>>>>
>>>>>> Certificate:
>>>>>> Data:
>>>>>> Version: 3 (0x2)
>>>>>> Serial Number: 15 (0xf)
>>>>>> Signature Algorithm: sha1WithRSAEncryption
>>>>>> Issuer: C=US, ST=TX, L=Somewhere, O=Company, OU=System,
>>>>>> CN=Company Root CA/[EMAIL PROTECTED]
>>>>>> Validity
>>>>>> Not Before: Aug 26 16:16:57 2008 GMT
>>>>>> Not After : Aug 24 16:16:57 2018 GMT
>>>>>> Subject: C=US, ST=TX, O=Company, OU=System, CN=WG
>>>>>> Subject Public Key Info:
>>>>>> Public Key Algorithm: rsaEncryption
>>>>>> RSA Public Key: (1024 bit)
>>>>>> Modulus (1024 bit):
>>>>>> 00:c2:83:76:81:24:5c:48:09:71:66:bb:22:37:05:
>>>>>> f3:8b:0b:f6:df:24:a0:ec:d8:65:ac:d5:77:7f:e0:
>>>>>> 91:f1:86:a4:00:23:17:c2:28:1f:81:e0:6d:e8:24:
>>>>>> e7:0a:bb:7e:a5:72:57:6d:65:cb:ec:7c:f1:d0:64:
>>>>>> 63:9f:0d:0c:b3:4c:c6:e4:3f:7c:f9:1f:53:6b:c0:
>>>>>> 47:3a:59:4d:87:37:e5:f6:4f:ef:75:20:5b:93:0b:
>>>>>> f9:8b:d7:4b:b7:4c:0c:e2:8c:2e:34:ad:23:3e:c6:
>>>>>> 89:1e:6f:3b:0d:52:25:69:d2:42:d3:de:cd:cd:e3:
>>>>>> ef:80:8a:e0:2d:1c:20:8f:6b
>>>>>> Exponent: 65537 (0x10001)
>>>>>> X509v3 extensions:
>>>>>> X509v3 Basic Constraints:
>>>>>> CA:FALSE
>>>>>> Netscape Comment:
>>>>>> OpenSSL Generated Certificate
>>>>>> X509v3 Subject Key Identifier:
>>>>>>
>>>>>> 3E:BB:9E:11:45:7B:F7:5E:BD:1D:F9:CE:A1:A9:E1:D7:7C:71:A5:FF X509v3
>>>>>> Authority Key Identifier:
>>>>>>
>>>>>> keyid:DB:E2:B6:28:36:12:83:63:B2:FA:87:E1:64:FB:44:F7:58:A0:8A:E8
>>>>>>
>>>>>> Signature Algorithm: sha1WithRSAEncryption
>>>>>> 7b:b7:d0:ca:42:96:24:6a:26:e1:a4:e1:45:91:d1:28:14:97:
>>>>>> e2:ea:dc:d6:59:97:73:ef:1a:5a:54:a4:33:fe:c2:0c:74:ca:
>>>>>> 6b:e4:85:4c:a0:9d:49:7a:1a:b0:fd:48:5c:6a:bc:de:44:53:
>>>>>> 73:23:bc:0f:ab:b6:cb:49:5a:53:2c:5c:d5:24:23:3b:e6:da:
>>>>>> 16:22:d4:db:1c:82:ac:7a:37:01:0f:a5:4e:24:92:2b:bc:2e:
>>>>>> 33:01:4d:5e:c3:7f:91:0f:3d:1d:ea:b8:8d:ad:38:ed:ab:44:
>>>>>> b7:2d:82:7b:c3:0d:2a:a2:21:8a:58:25:ac:c4:cb:f0:57:4e:
>>>>>> ed:ec
>>>>>>
>>>>>> On Tue, Aug 26, 2008 at 9:14 AM, Kyle Hamilton <[EMAIL PROTECTED]> wrote:
>>>>>>> openssl x509 -in [filename] -noout -text -inform PEM
>>>>>>>
>>>>>>> -Kyle H
>>>>>>>
>>>>>>> On Tue, Aug 26, 2008 at 8:44 AM, Chris Zimmerman
>>>>>>>
>>>>>>> <[EMAIL PROTECTED]> wrote:
>>>>>>>> That command seems to have a syntax problem, showing: "unknown option
>>>>>>>> [cert.pem-inserted my cert here]"
>>>>>>>>
>>>>>>>> On Mon, Aug 25, 2008 at 10:55 PM, Tim Hudson <[EMAIL PROTECTED]> wrote:
>>>>>>>>> Chris Zimmerman wrote:
>>>>>>>>>> I am working to setup a Watchguard firewall with x509 certs for VPN
>>>>>>>>>> tunnels. I have created my own CA on my laptop and I have created a
>>>>>>>>>> CSR on the Watchguard product. I have then signed the CSR with my CA
>>>>>>>>>> certificate successfully which then imports into the Watchguard.
>>>>>>>>>> Here's the problem: Watchguard requires that the cert be typed as
>>>>>>>>>> "Web" or "IPSec" if it is to be used for VPN tunnels. Everytime I
>>>>>>>>>> import my signed cert it shows up as a CA Cert type. I know this is
>>>>>>>>>> an interop question, but has any got an idea of what to try to get
>>>>>>>>>> this working? I've been at this for days now with no success.
>>>>>>>>> Look a the various settings for basic constraints, key usage and
>>>>>>>>> extended key usage as controlled in openssl.cnf ... basically you need
>>>>>>>>> to set them to match what Watchguard wants.
>>>>>>>>>
>>>>>>>>> Perhaps you have the v3_ca stuff set.
>>>>>>>>>
>>>>>>>>> The output of
>>>>>>>>> openssl x509 -text -noout cert.pem
>>>>>>>>> will let me see what you have set in the way of those extensions.
>>>>>>>>>
>>>>>>>>> If you have a working certificate and a non-working one then comparing
>>>>>>>>> the text output should help show what the requirements are.
>>>>>>>>>
>>>>>>>>> Tim.
>>>>>>>> ______________________________________________________________________
>>>>>>>> OpenSSL Project http://www.openssl.org
>>>>>>>> User Support Mailing List openssl-users@openssl.org
>>>>>>>> Automated List Manager [EMAIL PROTECTED]
>>>>>>> ______________________________________________________________________
>>>>>>> OpenSSL Project http://www.openssl.org
>>>>>>> User Support Mailing List openssl-users@openssl.org
>>>>>>> Automated List Manager [EMAIL PROTECTED]
>>>>>> ______________________________________________________________________
>>>>>> OpenSSL Project http://www.openssl.org
>>>>>> User Support Mailing List openssl-users@openssl.org
>>>>>> Automated List Manager [EMAIL PROTECTED]
>>>>> ______________________________________________________________________
>>>>> OpenSSL Project http://www.openssl.org
>>>>> User Support Mailing List openssl-users@openssl.org
>>>>> Automated List Manager [EMAIL PROTECTED]
>>>> ______________________________________________________________________
>>>> OpenSSL Project http://www.openssl.org
>>>> User Support Mailing List openssl-users@openssl.org
>>>> Automated List Manager [EMAIL PROTECTED]
>>>>
>>> ______________________________________________________________________
>>> OpenSSL Project http://www.openssl.org
>>> User Support Mailing List openssl-users@openssl.org
>>> Automated List Manager [EMAIL PROTECTED]
>>>
>> ______________________________________________________________________
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing List openssl-users@openssl.org
>> Automated List Manager [EMAIL PROTECTED]
>>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
