I am working to setup a Watchguard firewall with x509 certs for VPN
tunnels. I have created my own CA on my laptop and I have created a
CSR on the Watchguard product. I have then signed the CSR with my CA
certificate successfully which then imports into the Watchguard.
Here's the problem: Watchguard requires that the cert be typed as
"Web" or "IPSec" if it is to be used for VPN tunnels. Everytime I
import my signed cert it shows up as a CA Cert type. I know this is
an interop question, but has any got an idea of what to try to get
this working? I've been at this for days now with no success.

Thanks!
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org

Hi Chris:

On August 26, 2008 01:06:00 am Chris Zimmerman wrote:
> I am working to setup a Watchguard firewall with x509 certs for VPN
> tunnels. I have created my own CA on my laptop and I have created a
> CSR on the Watchguard product. I have then signed the CSR with my CA
> certificate successfully which then imports into the Watchguard.
> Here's the problem: Watchguard requires that the cert be typed as
> "Web" or "IPSec" if it is to be used for VPN tunnels. Everytime I
> import my signed cert it shows up as a CA Cert type. I know this is
> an interop question, but has any got an idea of what to try to get
> this working? I've been at this for days now with no success.
>
What you're looking for are the X.509 extensions "Extended Key Usage",
and "Key Usage".

For a CA, there are several things that make it a "CA" Cert:

1: It is typically self signed. (Same Issuer as Subject)
2: It has the Extension "Basic Constraints" with the content CA:TRUE
3: It has the Extension "Key Usage", with the values digitalSignature,
certSign, and crlSign.

For a "Device" or End Entity Cert (what you want for your Watchguard box),
there are several common characteristics:

1: It is typically signed by a CA.
2: If the extension "Basic Constraints" is present, it is set to "CA:FALSE".
3: It has the Extension "Key Usage" with the values digitalSignature
3a: If this is to be used for SSL client or server, the additional values of
keyAgreement and keyEncipherment may also be present.
4: It has the Extension "Extended Key Usage", with the values of serverAuth or
clientAuth, depending on which side of the transaction it is. It may have
both, although some programs don't like that. It may also have the value
anyExtendedKeyUsage to allow it to be used for any purpose, and the
Watchguard box should recognise that. It may also have of the IPsec specific
Extended Key Usage values: ipsecEndSystem, ipsecTunnel, ipsecUser (but I'm
not sure if OpenSSL has implemented these last three).

Regardless - that is what your device is telling you.

If you want a good howto to help you set up your CA to issue certs that should
work for issuing certificates to a Watchguard box, take a look at
the "CertiPath OpenSSL Howto" guide that we've written:

http://www.carillon.ca/library/howtos.php

It will show you how to configure the openssl.cnf files to generate
certificates with any and all of the above values set.

Have fun.

--
Patrick Patterson
President and Chief PKI Architect,
Carillon Information Security Inc.
http://www.carillon.ca
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org

That command seems to have a syntax problem, showing: "unknown option
[cert.pem-inserted my cert here]"



On Mon, Aug 25, 2008 at 10:55 PM, Tim Hudson wrote:
> Chris Zimmerman wrote:
>>
>> I am working to setup a Watchguard firewall with x509 certs for VPN
>> tunnels. I have created my own CA on my laptop and I have created a
>> CSR on the Watchguard product. I have then signed the CSR with my CA
>> certificate successfully which then imports into the Watchguard.
>> Here's the problem: Watchguard requires that the cert be typed as
>> "Web" or "IPSec" if it is to be used for VPN tunnels. Everytime I
>> import my signed cert it shows up as a CA Cert type. I know this is
>> an interop question, but has any got an idea of what to try to get
>> this working? I've been at this for days now with no success.
>
> Look a the various settings for basic constraints, key usage and extended
> key usage as controlled in openssl.cnf ... basically you need to set them to
> match what Watchguard wants.
>
> Perhaps you have the v3_ca stuff set.
>
> The output of
> openssl x509 -text -noout cert.pem
> will let me see what you have set in the way of those extensions.
>
> If you have a working certificate and a non-working one then comparing the
> text output should help show what the requirements are.
>
> Tim.
>
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org

openssl x509 -in [filename] -noout -text -inform PEM

-Kyle H

On Tue, Aug 26, 2008 at 8:44 AM, Chris Zimmerman
wrote:
> That command seems to have a syntax problem, showing: "unknown option
> [cert.pem-inserted my cert here]"
>
>
>
> On Mon, Aug 25, 2008 at 10:55 PM, Tim Hudson wrote:
>> Chris Zimmerman wrote:
>>>
>>> I am working to setup a Watchguard firewall with x509 certs for VPN
>>> tunnels. I have created my own CA on my laptop and I have created a
>>> CSR on the Watchguard product. I have then signed the CSR with my CA
>>> certificate successfully which then imports into the Watchguard.
>>> Here's the problem: Watchguard requires that the cert be typed as
>>> "Web" or "IPSec" if it is to be used for VPN tunnels. Everytime I
>>> import my signed cert it shows up as a CA Cert type. I know this is
>>> an interop question, but has any got an idea of what to try to get
>>> this working? I've been at this for days now with no success.
>>
>> Look a the various settings for basic constraints, key usage and extended
>> key usage as controlled in openssl.cnf ... basically you need to set them to
>> match what Watchguard wants.
>>
>> Perhaps you have the v3_ca stuff set.
>>
>> The output of
>> openssl x509 -text -noout cert.pem
>> will let me see what you have set in the way of those extensions.
>>
>> If you have a working certificate and a non-working one then comparing the
>> text output should help show what the requirements are.
>>
>> Tim.
>>
> __________________________________________________ ____________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majordomo@openssl.org
>
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org

Here's the cert for the Watchguard:

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=TX, L=Somewhere, O=Company, OU=System,
CN=Company Root CA/emailAddress=ca@company.com
Validity
Not Before: Aug 26 16:16:57 2008 GMT
Not After : Aug 24 16:16:57 2018 GMT
Subject: C=US, ST=TX, O=Company, OU=System, CN=WG
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c2:83:76:81:24:5c:48:09:71:66:bb:22:37:05:
f3:8b:0b:f6:df:24:a0:ec:d8:65:ac:d5:77:7f:e0:
91:f1:86:a4:00:23:17:c2:28:1f:81:e0:6d:e8:24:
e7:0a:bb:7e:a5:72:57:6d:65:cb:ec:7c:f1:d0:64:
63:9f:0d:0c:b3:4c:c6:e4:3f:7c:f9:1f:53:6b:c0:
47:3a:59:4d:87:37:e5:f6:4f:ef:75:20:5b:93:0b:
f9:8b:d7:4b:b7:4c:0c:e2:8c:2e:34:ad:23:3e:c6:
89:1e:6f:3b:0d:52:25:69:d2:42:d3:de:cd:cd:e3:
ef:80:8a:e0:2d:1c:20:8f:6b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
3E:BB:9E:11:45:7B:F7:5E:BD:1D:F9:CE:A1:A9:E17:7C :71:A5:FF
X509v3 Authority Key Identifier:

keyidB:E2:B6:28:36:12:83:63:B2:FA:87:E1:64:FB:44 :F7:58:A0:8A:E8

Signature Algorithm: sha1WithRSAEncryption
7b:b7:d0:ca:42:96:24:6a:26:e1:a4:e1:45:91:d1:28:14 :97:
e2:ea:dc:d6:59:97:73:ef:1a:5a:54:a4:33:fe:c2:0c:74 :ca:
6b:e4:85:4c:a0:9d:49:7a:1a:b0:fd:48:5c:6a:bc:de:44 :53:
73:23:bc:0f:ab:b6:cb:49:5a:53:2c:5c:d5:24:23:3b:e6 :da:
16:22:d4:db:1c:82:ac:7a:37:01:0f:a5:4e:24:92:2b:bc :2e:
33:01:4d:5e:c3:7f:91:0f:3d:1d:ea:b8:8d:ad:38:ed:ab :44:
b7:2d:82:7b:c3:0d:2a:a2:21:8a:58:25:ac:c4:cb:f0:57 :4e:
ed:ec


On Tue, Aug 26, 2008 at 9:14 AM, Kyle Hamilton wrote:
> openssl x509 -in [filename] -noout -text -inform PEM
>
> -Kyle H
>
> On Tue, Aug 26, 2008 at 8:44 AM, Chris Zimmerman
> wrote:
>> That command seems to have a syntax problem, showing: "unknown option
>> [cert.pem-inserted my cert here]"
>>
>>
>>
>> On Mon, Aug 25, 2008 at 10:55 PM, Tim Hudson wrote:
>>> Chris Zimmerman wrote:
>>>>
>>>> I am working to setup a Watchguard firewall with x509 certs for VPN
>>>> tunnels. I have created my own CA on my laptop and I have created a
>>>> CSR on the Watchguard product. I have then signed the CSR with my CA
>>>> certificate successfully which then imports into the Watchguard.
>>>> Here's the problem: Watchguard requires that the cert be typed as
>>>> "Web" or "IPSec" if it is to be used for VPN tunnels. Everytime I
>>>> import my signed cert it shows up as a CA Cert type. I know this is
>>>> an interop question, but has any got an idea of what to try to get
>>>> this working? I've been at this for days now with no success.
>>>
>>> Look a the various settings for basic constraints, key usage and extended
>>> key usage as controlled in openssl.cnf ... basically you need to set them to
>>> match what Watchguard wants.
>>>
>>> Perhaps you have the v3_ca stuff set.
>>>
>>> The output of
>>> openssl x509 -text -noout cert.pem
>>> will let me see what you have set in the way of those extensions.
>>>
>>> If you have a working certificate and a non-working one then comparing the
>>> text output should help show what the requirements are.
>>>
>>> Tim.
>>>
>> __________________________________________________ ____________________
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing List openssl-users@openssl.org
>> Automated List Manager majordomo@openssl.org
>>
> __________________________________________________ ____________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majordomo@openssl.org
>
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org

There is no ExtendedKeyUsage extension.

To fix this, in your openssl.cnf file in section [usr_cert] there is a
commented-out line that needs to be uncommented.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment

Then generate a new certificate.

-Kyle H


On Tue, Aug 26, 2008 at 9:20 AM, Chris Zimmerman
wrote:
> Here's the cert for the Watchguard:
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 15 (0xf)
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=US, ST=TX, L=Somewhere, O=Company, OU=System,
> CN=Company Root CA/emailAddress=ca@company.com
> Validity
> Not Before: Aug 26 16:16:57 2008 GMT
> Not After : Aug 24 16:16:57 2018 GMT
> Subject: C=US, ST=TX, O=Company, OU=System, CN=WG
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (1024 bit)
> Modulus (1024 bit):
> 00:c2:83:76:81:24:5c:48:09:71:66:bb:22:37:05:
> f3:8b:0b:f6:df:24:a0:ec:d8:65:ac:d5:77:7f:e0:
> 91:f1:86:a4:00:23:17:c2:28:1f:81:e0:6d:e8:24:
> e7:0a:bb:7e:a5:72:57:6d:65:cb:ec:7c:f1:d0:64:
> 63:9f:0d:0c:b3:4c:c6:e4:3f:7c:f9:1f:53:6b:c0:
> 47:3a:59:4d:87:37:e5:f6:4f:ef:75:20:5b:93:0b:
> f9:8b:d7:4b:b7:4c:0c:e2:8c:2e:34:ad:23:3e:c6:
> 89:1e:6f:3b:0d:52:25:69:d2:42:d3:de:cd:cd:e3:
> ef:80:8a:e0:2d:1c:20:8f:6b
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Basic Constraints:
> CA:FALSE
> Netscape Comment:
> OpenSSL Generated Certificate
> X509v3 Subject Key Identifier:
> 3E:BB:9E:11:45:7B:F7:5E:BD:1D:F9:CE:A1:A9:E17:7C :71:A5:FF
> X509v3 Authority Key Identifier:
>
> keyidB:E2:B6:28:36:12:83:63:B2:FA:87:E1:64:FB:44 :F7:58:A0:8A:E8
>
> Signature Algorithm: sha1WithRSAEncryption
> 7b:b7:d0:ca:42:96:24:6a:26:e1:a4:e1:45:91:d1:28:14 :97:
> e2:ea:dc:d6:59:97:73:ef:1a:5a:54:a4:33:fe:c2:0c:74 :ca:
> 6b:e4:85:4c:a0:9d:49:7a:1a:b0:fd:48:5c:6a:bc:de:44 :53:
> 73:23:bc:0f:ab:b6:cb:49:5a:53:2c:5c:d5:24:23:3b:e6 :da:
> 16:22:d4:db:1c:82:ac:7a:37:01:0f:a5:4e:24:92:2b:bc :2e:
> 33:01:4d:5e:c3:7f:91:0f:3d:1d:ea:b8:8d:ad:38:ed:ab :44:
> b7:2d:82:7b:c3:0d:2a:a2:21:8a:58:25:ac:c4:cb:f0:57 :4e:
> ed:ec
>
>
> On Tue, Aug 26, 2008 at 9:14 AM, Kyle Hamilton wrote:
>> openssl x509 -in [filename] -noout -text -inform PEM
>>
>> -Kyle H
>>
>> On Tue, Aug 26, 2008 at 8:44 AM, Chris Zimmerman
>> wrote:
>>> That command seems to have a syntax problem, showing: "unknown option
>>> [cert.pem-inserted my cert here]"
>>>
>>>
>>>
>>> On Mon, Aug 25, 2008 at 10:55 PM, Tim Hudson wrote:
>>>> Chris Zimmerman wrote:
>>>>>
>>>>> I am working to setup a Watchguard firewall with x509 certs for VPN
>>>>> tunnels. I have created my own CA on my laptop and I have created a
>>>>> CSR on the Watchguard product. I have then signed the CSR with my CA
>>>>> certificate successfully which then imports into the Watchguard.
>>>>> Here's the problem: Watchguard requires that the cert be typed as
>>>>> "Web" or "IPSec" if it is to be used for VPN tunnels. Everytime I
>>>>> import my signed cert it shows up as a CA Cert type. I know this is
>>>>> an interop question, but has any got an idea of what to try to get
>>>>> this working? I've been at this for days now with no success.
>>>>
>>>> Look a the various settings for basic constraints, key usage and extended
>>>> key usage as controlled in openssl.cnf ... basically you need to set them to
>>>> match what Watchguard wants.
>>>>
>>>> Perhaps you have the v3_ca stuff set.
>>>>
>>>> The output of
>>>> openssl x509 -text -noout cert.pem
>>>> will let me see what you have set in the way of those extensions.
>>>>
>>>> If you have a working certificate and a non-working one then comparing the
>>>> text output should help show what the requirements are.
>>>>
>>>> Tim.
>>>>
>>> __________________________________________________ ____________________
>>> OpenSSL Project http://www.openssl.org
>>> User Support Mailing List openssl-users@openssl.org
>>> Automated List Manager majordomo@openssl.org
>>>
>> __________________________________________________ ____________________
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing List openssl-users@openssl.org
>> Automated List Manager majordomo@openssl.org
>>
> __________________________________________________ ____________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majordomo@openssl.org
>
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org

Chris:

On Tuesday 26 August 2008 12:58:22 Kyle Hamilton wrote:
> There is no ExtendedKeyUsage extension.
>
> To fix this, in your openssl.cnf file in section [usr_cert] there is a
> commented-out line that needs to be uncommented.
> # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
>
> Then generate a new certificate.
>
Actually - that will only set the keyUsage extension (Which you will need) -
what you also want to set is to add a line to the appropriate section in the
openssl.cnf file that you are using to generate the certificate below that
that has:

extendedKeyUsage = serverAuth,clientAuth

And then regen the certificate.

Have fun.

Patrick.

> -Kyle H
>
>
> On Tue, Aug 26, 2008 at 9:20 AM, Chris Zimmerman
>
> wrote:
> > Here's the cert for the Watchguard:
> >
> > Certificate:
> > Data:
> > Version: 3 (0x2)
> > Serial Number: 15 (0xf)
> > Signature Algorithm: sha1WithRSAEncryption
> > Issuer: C=US, ST=TX, L=Somewhere, O=Company, OU=System,
> > CN=Company Root CA/emailAddress=ca@company.com
> > Validity
> > Not Before: Aug 26 16:16:57 2008 GMT
> > Not After : Aug 24 16:16:57 2018 GMT
> > Subject: C=US, ST=TX, O=Company, OU=System, CN=WG
> > Subject Public Key Info:
> > Public Key Algorithm: rsaEncryption
> > RSA Public Key: (1024 bit)
> > Modulus (1024 bit):
> > 00:c2:83:76:81:24:5c:48:09:71:66:bb:22:37:05:
> > f3:8b:0b:f6:df:24:a0:ec:d8:65:ac:d5:77:7f:e0:
> > 91:f1:86:a4:00:23:17:c2:28:1f:81:e0:6d:e8:24:
> > e7:0a:bb:7e:a5:72:57:6d:65:cb:ec:7c:f1:d0:64:
> > 63:9f:0d:0c:b3:4c:c6:e4:3f:7c:f9:1f:53:6b:c0:
> > 47:3a:59:4d:87:37:e5:f6:4f:ef:75:20:5b:93:0b:
> > f9:8b:d7:4b:b7:4c:0c:e2:8c:2e:34:ad:23:3e:c6:
> > 89:1e:6f:3b:0d:52:25:69:d2:42:d3:de:cd:cd:e3:
> > ef:80:8a:e0:2d:1c:20:8f:6b
> > Exponent: 65537 (0x10001)
> > X509v3 extensions:
> > X509v3 Basic Constraints:
> > CA:FALSE
> > Netscape Comment:
> > OpenSSL Generated Certificate
> > X509v3 Subject Key Identifier:
> >
> > 3E:BB:9E:11:45:7B:F7:5E:BD:1D:F9:CE:A1:A9:E17:7C :71:A5:FF X509v3
> > Authority Key Identifier:
> >
> > keyidB:E2:B6:28:36:12:83:63:B2:FA:87:E1:64:FB:44 :F7:58:A0:8A:E8
> >
> > Signature Algorithm: sha1WithRSAEncryption
> > 7b:b7:d0:ca:42:96:24:6a:26:e1:a4:e1:45:91:d1:28:14 :97:
> > e2:ea:dc:d6:59:97:73:ef:1a:5a:54:a4:33:fe:c2:0c:74 :ca:
> > 6b:e4:85:4c:a0:9d:49:7a:1a:b0:fd:48:5c:6a:bc:de:44 :53:
> > 73:23:bc:0f:ab:b6:cb:49:5a:53:2c:5c:d5:24:23:3b:e6 :da:
> > 16:22:d4:db:1c:82:ac:7a:37:01:0f:a5:4e:24:92:2b:bc :2e:
> > 33:01:4d:5e:c3:7f:91:0f:3d:1d:ea:b8:8d:ad:38:ed:ab :44:
> > b7:2d:82:7b:c3:0d:2a:a2:21:8a:58:25:ac:c4:cb:f0:57 :4e:
> > ed:ec
> >
> > On Tue, Aug 26, 2008 at 9:14 AM, Kyle Hamilton wrote:
> >> openssl x509 -in [filename] -noout -text -inform PEM
> >>
> >> -Kyle H
> >>
> >> On Tue, Aug 26, 2008 at 8:44 AM, Chris Zimmerman
> >>
> >> wrote:
> >>> That command seems to have a syntax problem, showing: "unknown option
> >>> [cert.pem-inserted my cert here]"
> >>>
> >>> On Mon, Aug 25, 2008 at 10:55 PM, Tim Hudson wrote:
> >>>> Chris Zimmerman wrote:
> >>>>> I am working to setup a Watchguard firewall with x509 certs for VPN
> >>>>> tunnels. I have created my own CA on my laptop and I have created a
> >>>>> CSR on the Watchguard product. I have then signed the CSR with my CA
> >>>>> certificate successfully which then imports into the Watchguard.
> >>>>> Here's the problem: Watchguard requires that the cert be typed as
> >>>>> "Web" or "IPSec" if it is to be used for VPN tunnels. Everytime I
> >>>>> import my signed cert it shows up as a CA Cert type. I know this is
> >>>>> an interop question, but has any got an idea of what to try to get
> >>>>> this working? I've been at this for days now with no success.
> >>>>
> >>>> Look a the various settings for basic constraints, key usage and
> >>>> extended key usage as controlled in openssl.cnf ... basically you need
> >>>> to set them to match what Watchguard wants.
> >>>>
> >>>> Perhaps you have the v3_ca stuff set.
> >>>>
> >>>> The output of
> >>>> openssl x509 -text -noout cert.pem
> >>>> will let me see what you have set in the way of those extensions.
> >>>>
> >>>> If you have a working certificate and a non-working one then comparing
> >>>> the text output should help show what the requirements are.
> >>>>
> >>>> Tim.
> >>>
> >>> __________________________________________________ ____________________
> >>> OpenSSL Project http://www.openssl.org
> >>> User Support Mailing List openssl-users@openssl.org
> >>> Automated List Manager majordomo@openssl.org
> >>
> >> __________________________________________________ ____________________
> >> OpenSSL Project http://www.openssl.org
> >> User Support Mailing List openssl-users@openssl.org
> >> Automated List Manager majordomo@openssl.org
> >
> > __________________________________________________ ____________________
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List openssl-users@openssl.org
> > Automated List Manager majordomo@openssl.org
>
> __________________________________________________ ____________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majordomo@openssl.org

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org

I have no idea who you are,or what you are talking about,but, obviously you are sending this mail to the wrong adress. please check your source, and try a different e-mail adress.
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org

I have no idea who you are,or what you are talking about,but, obviously you are sending this mail to the wrong adress. please check your source, and try a different e-mail adress.
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org