Chris:

On Tuesday 26 August 2008 12:58:22 Kyle Hamilton wrote:
> There is no ExtendedKeyUsage extension.
>
> To fix this, in your openssl.cnf file in section [usr_cert] there is a
> commented-out line that needs to be uncommented.
> # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
>
> Then generate a new certificate.
>
Actually - that will only set the keyUsage extension (Which you will need) -
what you also want to set is to add a line to the appropriate section in the
openssl.cnf file that you are using to generate the certificate below that
that has:

extendedKeyUsage = serverAuth,clientAuth

And then regen the certificate.

Have fun.

Patrick.

> -Kyle H
>
>
> On Tue, Aug 26, 2008 at 9:20 AM, Chris Zimmerman
>
> wrote:
> > Here's the cert for the Watchguard:
> >
> > Certificate:
> > Data:
> > Version: 3 (0x2)
> > Serial Number: 15 (0xf)
> > Signature Algorithm: sha1WithRSAEncryption
> > Issuer: C=US, ST=TX, L=Somewhere, O=Company, OU=System,
> > CN=Company Root CA/emailAddress=ca@company.com
> > Validity
> > Not Before: Aug 26 16:16:57 2008 GMT
> > Not After : Aug 24 16:16:57 2018 GMT
> > Subject: C=US, ST=TX, O=Company, OU=System, CN=WG
> > Subject Public Key Info:
> > Public Key Algorithm: rsaEncryption
> > RSA Public Key: (1024 bit)
> > Modulus (1024 bit):
> > 00:c2:83:76:81:24:5c:48:09:71:66:bb:22:37:05:
> > f3:8b:0b:f6:df:24:a0:ec:d8:65:ac:d5:77:7f:e0:
> > 91:f1:86:a4:00:23:17:c2:28:1f:81:e0:6d:e8:24:
> > e7:0a:bb:7e:a5:72:57:6d:65:cb:ec:7c:f1:d0:64:
> > 63:9f:0d:0c:b3:4c:c6:e4:3f:7c:f9:1f:53:6b:c0:
> > 47:3a:59:4d:87:37:e5:f6:4f:ef:75:20:5b:93:0b:
> > f9:8b:d7:4b:b7:4c:0c:e2:8c:2e:34:ad:23:3e:c6:
> > 89:1e:6f:3b:0d:52:25:69:d2:42:d3:de:cd:cd:e3:
> > ef:80:8a:e0:2d:1c:20:8f:6b
> > Exponent: 65537 (0x10001)
> > X509v3 extensions:
> > X509v3 Basic Constraints:
> > CA:FALSE
> > Netscape Comment:
> > OpenSSL Generated Certificate
> > X509v3 Subject Key Identifier:
> >
> > 3E:BB:9E:11:45:7B:F7:5E:BD:1D:F9:CE:A1:A9:E17:7C :71:A5:FF X509v3
> > Authority Key Identifier:
> >
> > keyidB:E2:B6:28:36:12:83:63:B2:FA:87:E1:64:FB:44 :F7:58:A0:8A:E8
> >
> > Signature Algorithm: sha1WithRSAEncryption
> > 7b:b7:d0:ca:42:96:24:6a:26:e1:a4:e1:45:91:d1:28:14 :97:
> > e2:ea:dc:d6:59:97:73:ef:1a:5a:54:a4:33:fe:c2:0c:74 :ca:
> > 6b:e4:85:4c:a0:9d:49:7a:1a:b0:fd:48:5c:6a:bc:de:44 :53:
> > 73:23:bc:0f:ab:b6:cb:49:5a:53:2c:5c:d5:24:23:3b:e6 :da:
> > 16:22:d4:db:1c:82:ac:7a:37:01:0f:a5:4e:24:92:2b:bc :2e:
> > 33:01:4d:5e:c3:7f:91:0f:3d:1d:ea:b8:8d:ad:38:ed:ab :44:
> > b7:2d:82:7b:c3:0d:2a:a2:21:8a:58:25:ac:c4:cb:f0:57 :4e:
> > ed:ec
> >
> > On Tue, Aug 26, 2008 at 9:14 AM, Kyle Hamilton wrote:
> >> openssl x509 -in [filename] -noout -text -inform PEM
> >>
> >> -Kyle H
> >>
> >> On Tue, Aug 26, 2008 at 8:44 AM, Chris Zimmerman
> >>
> >> wrote:
> >>> That command seems to have a syntax problem, showing: "unknown option
> >>> [cert.pem-inserted my cert here]"
> >>>
> >>> On Mon, Aug 25, 2008 at 10:55 PM, Tim Hudson wrote:
> >>>> Chris Zimmerman wrote:
> >>>>> I am working to setup a Watchguard firewall with x509 certs for VPN
> >>>>> tunnels. I have created my own CA on my laptop and I have created a
> >>>>> CSR on the Watchguard product. I have then signed the CSR with my CA
> >>>>> certificate successfully which then imports into the Watchguard.
> >>>>> Here's the problem: Watchguard requires that the cert be typed as
> >>>>> "Web" or "IPSec" if it is to be used for VPN tunnels. Everytime I
> >>>>> import my signed cert it shows up as a CA Cert type. I know this is
> >>>>> an interop question, but has any got an idea of what to try to get
> >>>>> this working? I've been at this for days now with no success.
> >>>>
> >>>> Look a the various settings for basic constraints, key usage and
> >>>> extended key usage as controlled in openssl.cnf ... basically you need
> >>>> to set them to match what Watchguard wants.
> >>>>
> >>>> Perhaps you have the v3_ca stuff set.
> >>>>
> >>>> The output of
> >>>> openssl x509 -text -noout cert.pem
> >>>> will let me see what you have set in the way of those extensions.
> >>>>
> >>>> If you have a working certificate and a non-working one then comparing
> >>>> the text output should help show what the requirements are.
> >>>>
> >>>> Tim.
> >>>
> >>> __________________________________________________ ____________________
> >>> OpenSSL Project http://www.openssl.org
> >>> User Support Mailing List openssl-users@openssl.org
> >>> Automated List Manager majordomo@openssl.org
> >>
> >> __________________________________________________ ____________________
> >> OpenSSL Project http://www.openssl.org
> >> User Support Mailing List openssl-users@openssl.org
> >> Automated List Manager majordomo@openssl.org
> >
> > __________________________________________________ ____________________
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List openssl-users@openssl.org
> > Automated List Manager majordomo@openssl.org
>
> __________________________________________________ ____________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majordomo@openssl.org
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org

thanks for catching that.

-Kyle H

On Tue, Aug 26, 2008 at 10:24 AM, Patrick Patterson
wrote:
> Chris:
>
> On Tuesday 26 August 2008 12:58:22 Kyle Hamilton wrote:
>> There is no ExtendedKeyUsage extension.
>>
>> To fix this, in your openssl.cnf file in section [usr_cert] there is a
>> commented-out line that needs to be uncommented.
>> # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
>>
>> Then generate a new certificate.
>>
> Actually - that will only set the keyUsage extension (Which you will need) -
> what you also want to set is to add a line to the appropriate section in the
> openssl.cnf file that you are using to generate the certificate below that
> that has:
>
> extendedKeyUsage = serverAuth,clientAuth
>
> And then regen the certificate.
>
> Have fun.
>
> Patrick.
>
>> -Kyle H
>>
>>
>> On Tue, Aug 26, 2008 at 9:20 AM, Chris Zimmerman
>>
>> wrote:
>> > Here's the cert for the Watchguard:
>> >
>> > Certificate:
>> > Data:
>> > Version: 3 (0x2)
>> > Serial Number: 15 (0xf)
>> > Signature Algorithm: sha1WithRSAEncryption
>> > Issuer: C=US, ST=TX, L=Somewhere, O=Company, OU=System,
>> > CN=Company Root CA/emailAddress=ca@company.com
>> > Validity
>> > Not Before: Aug 26 16:16:57 2008 GMT
>> > Not After : Aug 24 16:16:57 2018 GMT
>> > Subject: C=US, ST=TX, O=Company, OU=System, CN=WG
>> > Subject Public Key Info:
>> > Public Key Algorithm: rsaEncryption
>> > RSA Public Key: (1024 bit)
>> > Modulus (1024 bit):
>> > 00:c2:83:76:81:24:5c:48:09:71:66:bb:22:37:05:
>> > f3:8b:0b:f6:df:24:a0:ec:d8:65:ac:d5:77:7f:e0:
>> > 91:f1:86:a4:00:23:17:c2:28:1f:81:e0:6d:e8:24:
>> > e7:0a:bb:7e:a5:72:57:6d:65:cb:ec:7c:f1:d0:64:
>> > 63:9f:0d:0c:b3:4c:c6:e4:3f:7c:f9:1f:53:6b:c0:
>> > 47:3a:59:4d:87:37:e5:f6:4f:ef:75:20:5b:93:0b:
>> > f9:8b:d7:4b:b7:4c:0c:e2:8c:2e:34:ad:23:3e:c6:
>> > 89:1e:6f:3b:0d:52:25:69:d2:42:d3:de:cd:cd:e3:
>> > ef:80:8a:e0:2d:1c:20:8f:6b
>> > Exponent: 65537 (0x10001)
>> > X509v3 extensions:
>> > X509v3 Basic Constraints:
>> > CA:FALSE
>> > Netscape Comment:
>> > OpenSSL Generated Certificate
>> > X509v3 Subject Key Identifier:
>> >
>> > 3E:BB:9E:11:45:7B:F7:5E:BD:1D:F9:CE:A1:A9:E17:7C :71:A5:FF X509v3
>> > Authority Key Identifier:
>> >
>> > keyidB:E2:B6:28:36:12:83:63:B2:FA:87:E1:64:FB:44 :F7:58:A0:8A:E8
>> >
>> > Signature Algorithm: sha1WithRSAEncryption
>> > 7b:b7:d0:ca:42:96:24:6a:26:e1:a4:e1:45:91:d1:28:14 :97:
>> > e2:ea:dc:d6:59:97:73:ef:1a:5a:54:a4:33:fe:c2:0c:74 :ca:
>> > 6b:e4:85:4c:a0:9d:49:7a:1a:b0:fd:48:5c:6a:bc:de:44 :53:
>> > 73:23:bc:0f:ab:b6:cb:49:5a:53:2c:5c:d5:24:23:3b:e6 :da:
>> > 16:22:d4:db:1c:82:ac:7a:37:01:0f:a5:4e:24:92:2b:bc :2e:
>> > 33:01:4d:5e:c3:7f:91:0f:3d:1d:ea:b8:8d:ad:38:ed:ab :44:
>> > b7:2d:82:7b:c3:0d:2a:a2:21:8a:58:25:ac:c4:cb:f0:57 :4e:
>> > ed:ec
>> >
>> > On Tue, Aug 26, 2008 at 9:14 AM, Kyle Hamilton wrote:
>> >> openssl x509 -in [filename] -noout -text -inform PEM
>> >>
>> >> -Kyle H
>> >>
>> >> On Tue, Aug 26, 2008 at 8:44 AM, Chris Zimmerman
>> >>
>> >> wrote:
>> >>> That command seems to have a syntax problem, showing: "unknown option
>> >>> [cert.pem-inserted my cert here]"
>> >>>
>> >>> On Mon, Aug 25, 2008 at 10:55 PM, Tim Hudson wrote:
>> >>>> Chris Zimmerman wrote:
>> >>>>> I am working to setup a Watchguard firewall with x509 certs for VPN
>> >>>>> tunnels. I have created my own CA on my laptop and I have created a
>> >>>>> CSR on the Watchguard product. I have then signed the CSR with my CA
>> >>>>> certificate successfully which then imports into the Watchguard.
>> >>>>> Here's the problem: Watchguard requires that the cert be typed as
>> >>>>> "Web" or "IPSec" if it is to be used for VPN tunnels. Everytime I
>> >>>>> import my signed cert it shows up as a CA Cert type. I know this is
>> >>>>> an interop question, but has any got an idea of what to try to get
>> >>>>> this working? I've been at this for days now with no success.
>> >>>>
>> >>>> Look a the various settings for basic constraints, key usage and
>> >>>> extended key usage as controlled in openssl.cnf ... basically you need
>> >>>> to set them to match what Watchguard wants.
>> >>>>
>> >>>> Perhaps you have the v3_ca stuff set.
>> >>>>
>> >>>> The output of
>> >>>> openssl x509 -text -noout cert.pem
>> >>>> will let me see what you have set in the way of those extensions.
>> >>>>
>> >>>> If you have a working certificate and a non-working one then comparing
>> >>>> the text output should help show what the requirements are.
>> >>>>
>> >>>> Tim.
>> >>>
>> >>> __________________________________________________ ____________________
>> >>> OpenSSL Project http://www.openssl.org
>> >>> User Support Mailing List openssl-users@openssl.org
>> >>> Automated List Manager majordomo@openssl.org
>> >>
>> >> __________________________________________________ ____________________
>> >> OpenSSL Project http://www.openssl.org
>> >> User Support Mailing List openssl-users@openssl.org
>> >> Automated List Manager majordomo@openssl.org
>> >
>> > __________________________________________________ ____________________
>> > OpenSSL Project http://www.openssl.org
>> > User Support Mailing List openssl-users@openssl.org
>> > Automated List Manager majordomo@openssl.org
>>
>> __________________________________________________ ____________________
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing List openssl-users@openssl.org
>> Automated List Manager majordomo@openssl.org
> __________________________________________________ ____________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majordomo@openssl.org
>
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org

What is the appropriate section?

Sorry if this is a basic question, but I am working on improving my knowledge.

On Tue, Aug 26, 2008 at 10:24 AM, Patrick Patterson
wrote:
> Chris:
>
> On Tuesday 26 August 2008 12:58:22 Kyle Hamilton wrote:
>> There is no ExtendedKeyUsage extension.
>>
>> To fix this, in your openssl.cnf file in section [usr_cert] there is a
>> commented-out line that needs to be uncommented.
>> # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
>>
>> Then generate a new certificate.
>>
> Actually - that will only set the keyUsage extension (Which you will need) -
> what you also want to set is to add a line to the appropriate section in the
> openssl.cnf file that you are using to generate the certificate below that
> that has:
>
> extendedKeyUsage = serverAuth,clientAuth
>
> And then regen the certificate.
>
> Have fun.
>
> Patrick.
>
>> -Kyle H
>>
>>
>> On Tue, Aug 26, 2008 at 9:20 AM, Chris Zimmerman
>>
>> wrote:
>> > Here's the cert for the Watchguard:
>> >
>> > Certificate:
>> > Data:
>> > Version: 3 (0x2)
>> > Serial Number: 15 (0xf)
>> > Signature Algorithm: sha1WithRSAEncryption
>> > Issuer: C=US, ST=TX, L=Somewhere, O=Company, OU=System,
>> > CN=Company Root CA/emailAddress=ca@company.com
>> > Validity
>> > Not Before: Aug 26 16:16:57 2008 GMT
>> > Not After : Aug 24 16:16:57 2018 GMT
>> > Subject: C=US, ST=TX, O=Company, OU=System, CN=WG
>> > Subject Public Key Info:
>> > Public Key Algorithm: rsaEncryption
>> > RSA Public Key: (1024 bit)
>> > Modulus (1024 bit):
>> > 00:c2:83:76:81:24:5c:48:09:71:66:bb:22:37:05:
>> > f3:8b:0b:f6:df:24:a0:ec:d8:65:ac:d5:77:7f:e0:
>> > 91:f1:86:a4:00:23:17:c2:28:1f:81:e0:6d:e8:24:
>> > e7:0a:bb:7e:a5:72:57:6d:65:cb:ec:7c:f1:d0:64:
>> > 63:9f:0d:0c:b3:4c:c6:e4:3f:7c:f9:1f:53:6b:c0:
>> > 47:3a:59:4d:87:37:e5:f6:4f:ef:75:20:5b:93:0b:
>> > f9:8b:d7:4b:b7:4c:0c:e2:8c:2e:34:ad:23:3e:c6:
>> > 89:1e:6f:3b:0d:52:25:69:d2:42:d3:de:cd:cd:e3:
>> > ef:80:8a:e0:2d:1c:20:8f:6b
>> > Exponent: 65537 (0x10001)
>> > X509v3 extensions:
>> > X509v3 Basic Constraints:
>> > CA:FALSE
>> > Netscape Comment:
>> > OpenSSL Generated Certificate
>> > X509v3 Subject Key Identifier:
>> >
>> > 3E:BB:9E:11:45:7B:F7:5E:BD:1D:F9:CE:A1:A9:E17:7C :71:A5:FF X509v3
>> > Authority Key Identifier:
>> >
>> > keyidB:E2:B6:28:36:12:83:63:B2:FA:87:E1:64:FB:44 :F7:58:A0:8A:E8
>> >
>> > Signature Algorithm: sha1WithRSAEncryption
>> > 7b:b7:d0:ca:42:96:24:6a:26:e1:a4:e1:45:91:d1:28:14 :97:
>> > e2:ea:dc:d6:59:97:73:ef:1a:5a:54:a4:33:fe:c2:0c:74 :ca:
>> > 6b:e4:85:4c:a0:9d:49:7a:1a:b0:fd:48:5c:6a:bc:de:44 :53:
>> > 73:23:bc:0f:ab:b6:cb:49:5a:53:2c:5c:d5:24:23:3b:e6 :da:
>> > 16:22:d4:db:1c:82:ac:7a:37:01:0f:a5:4e:24:92:2b:bc :2e:
>> > 33:01:4d:5e:c3:7f:91:0f:3d:1d:ea:b8:8d:ad:38:ed:ab :44:
>> > b7:2d:82:7b:c3:0d:2a:a2:21:8a:58:25:ac:c4:cb:f0:57 :4e:
>> > ed:ec
>> >
>> > On Tue, Aug 26, 2008 at 9:14 AM, Kyle Hamilton wrote:
>> >> openssl x509 -in [filename] -noout -text -inform PEM
>> >>
>> >> -Kyle H
>> >>
>> >> On Tue, Aug 26, 2008 at 8:44 AM, Chris Zimmerman
>> >>
>> >> wrote:
>> >>> That command seems to have a syntax problem, showing: "unknown option
>> >>> [cert.pem-inserted my cert here]"
>> >>>
>> >>> On Mon, Aug 25, 2008 at 10:55 PM, Tim Hudson wrote:
>> >>>> Chris Zimmerman wrote:
>> >>>>> I am working to setup a Watchguard firewall with x509 certs for VPN
>> >>>>> tunnels. I have created my own CA on my laptop and I have created a
>> >>>>> CSR on the Watchguard product. I have then signed the CSR with my CA
>> >>>>> certificate successfully which then imports into the Watchguard.
>> >>>>> Here's the problem: Watchguard requires that the cert be typed as
>> >>>>> "Web" or "IPSec" if it is to be used for VPN tunnels. Everytime I
>> >>>>> import my signed cert it shows up as a CA Cert type. I know this is
>> >>>>> an interop question, but has any got an idea of what to try to get
>> >>>>> this working? I've been at this for days now with no success.
>> >>>>
>> >>>> Look a the various settings for basic constraints, key usage and
>> >>>> extended key usage as controlled in openssl.cnf ... basically you need
>> >>>> to set them to match what Watchguard wants.
>> >>>>
>> >>>> Perhaps you have the v3_ca stuff set.
>> >>>>
>> >>>> The output of
>> >>>> openssl x509 -text -noout cert.pem
>> >>>> will let me see what you have set in the way of those extensions.
>> >>>>
>> >>>> If you have a working certificate and a non-working one then comparing
>> >>>> the text output should help show what the requirements are.
>> >>>>
>> >>>> Tim.
>> >>>
>> >>> __________________________________________________ ____________________
>> >>> OpenSSL Project http://www.openssl.org
>> >>> User Support Mailing List openssl-users@openssl.org
>> >>> Automated List Manager majordomo@openssl.org
>> >>
>> >> __________________________________________________ ____________________
>> >> OpenSSL Project http://www.openssl.org
>> >> User Support Mailing List openssl-users@openssl.org
>> >> Automated List Manager majordomo@openssl.org
>> >
>> > __________________________________________________ ____________________
>> > OpenSSL Project http://www.openssl.org
>> > User Support Mailing List openssl-users@openssl.org
>> > Automated List Manager majordomo@openssl.org
>>
>> __________________________________________________ ____________________
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing List openssl-users@openssl.org
>> Automated List Manager majordomo@openssl.org
> __________________________________________________ ____________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majordomo@openssl.org
>
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org

[usr_cert] is the appropriate section.

This is above the [v3_req] section, at least in the vanilla 0.9.8h sources.

-Kyle H

On Tue, Aug 26, 2008 at 10:33 AM, Chris Zimmerman
wrote:
> What is the appropriate section?
>
> Sorry if this is a basic question, but I am working on improving my knowledge.
>
> On Tue, Aug 26, 2008 at 10:24 AM, Patrick Patterson
> wrote:
>> Chris:
>>
>> On Tuesday 26 August 2008 12:58:22 Kyle Hamilton wrote:
>>> There is no ExtendedKeyUsage extension.
>>>
>>> To fix this, in your openssl.cnf file in section [usr_cert] there is a
>>> commented-out line that needs to be uncommented.
>>> # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
>>>
>>> Then generate a new certificate.
>>>
>> Actually - that will only set the keyUsage extension (Which you will need) -
>> what you also want to set is to add a line to the appropriate section in the
>> openssl.cnf file that you are using to generate the certificate below that
>> that has:
>>
>> extendedKeyUsage = serverAuth,clientAuth
>>
>> And then regen the certificate.
>>
>> Have fun.
>>
>> Patrick.
>>
>>> -Kyle H
>>>
>>>
>>> On Tue, Aug 26, 2008 at 9:20 AM, Chris Zimmerman
>>>
>>> wrote:
>>> > Here's the cert for the Watchguard:
>>> >
>>> > Certificate:
>>> > Data:
>>> > Version: 3 (0x2)
>>> > Serial Number: 15 (0xf)
>>> > Signature Algorithm: sha1WithRSAEncryption
>>> > Issuer: C=US, ST=TX, L=Somewhere, O=Company, OU=System,
>>> > CN=Company Root CA/emailAddress=ca@company.com
>>> > Validity
>>> > Not Before: Aug 26 16:16:57 2008 GMT
>>> > Not After : Aug 24 16:16:57 2018 GMT
>>> > Subject: C=US, ST=TX, O=Company, OU=System, CN=WG
>>> > Subject Public Key Info:
>>> > Public Key Algorithm: rsaEncryption
>>> > RSA Public Key: (1024 bit)
>>> > Modulus (1024 bit):
>>> > 00:c2:83:76:81:24:5c:48:09:71:66:bb:22:37:05:
>>> > f3:8b:0b:f6:df:24:a0:ec:d8:65:ac:d5:77:7f:e0:
>>> > 91:f1:86:a4:00:23:17:c2:28:1f:81:e0:6d:e8:24:
>>> > e7:0a:bb:7e:a5:72:57:6d:65:cb:ec:7c:f1:d0:64:
>>> > 63:9f:0d:0c:b3:4c:c6:e4:3f:7c:f9:1f:53:6b:c0:
>>> > 47:3a:59:4d:87:37:e5:f6:4f:ef:75:20:5b:93:0b:
>>> > f9:8b:d7:4b:b7:4c:0c:e2:8c:2e:34:ad:23:3e:c6:
>>> > 89:1e:6f:3b:0d:52:25:69:d2:42:d3:de:cd:cd:e3:
>>> > ef:80:8a:e0:2d:1c:20:8f:6b
>>> > Exponent: 65537 (0x10001)
>>> > X509v3 extensions:
>>> > X509v3 Basic Constraints:
>>> > CA:FALSE
>>> > Netscape Comment:
>>> > OpenSSL Generated Certificate
>>> > X509v3 Subject Key Identifier:
>>> >
>>> > 3E:BB:9E:11:45:7B:F7:5E:BD:1D:F9:CE:A1:A9:E17:7C :71:A5:FF X509v3
>>> > Authority Key Identifier:
>>> >
>>> > keyidB:E2:B6:28:36:12:83:63:B2:FA:87:E1:64:FB:44 :F7:58:A0:8A:E8
>>> >
>>> > Signature Algorithm: sha1WithRSAEncryption
>>> > 7b:b7:d0:ca:42:96:24:6a:26:e1:a4:e1:45:91:d1:28:14 :97:
>>> > e2:ea:dc:d6:59:97:73:ef:1a:5a:54:a4:33:fe:c2:0c:74 :ca:
>>> > 6b:e4:85:4c:a0:9d:49:7a:1a:b0:fd:48:5c:6a:bc:de:44 :53:
>>> > 73:23:bc:0f:ab:b6:cb:49:5a:53:2c:5c:d5:24:23:3b:e6 :da:
>>> > 16:22:d4:db:1c:82:ac:7a:37:01:0f:a5:4e:24:92:2b:bc :2e:
>>> > 33:01:4d:5e:c3:7f:91:0f:3d:1d:ea:b8:8d:ad:38:ed:ab :44:
>>> > b7:2d:82:7b:c3:0d:2a:a2:21:8a:58:25:ac:c4:cb:f0:57 :4e:
>>> > ed:ec
>>> >
>>> > On Tue, Aug 26, 2008 at 9:14 AM, Kyle Hamilton wrote:
>>> >> openssl x509 -in [filename] -noout -text -inform PEM
>>> >>
>>> >> -Kyle H
>>> >>
>>> >> On Tue, Aug 26, 2008 at 8:44 AM, Chris Zimmerman
>>> >>
>>> >> wrote:
>>> >>> That command seems to have a syntax problem, showing: "unknown option
>>> >>> [cert.pem-inserted my cert here]"
>>> >>>
>>> >>> On Mon, Aug 25, 2008 at 10:55 PM, Tim Hudson wrote:
>>> >>>> Chris Zimmerman wrote:
>>> >>>>> I am working to setup a Watchguard firewall with x509 certs for VPN
>>> >>>>> tunnels. I have created my own CA on my laptop and I have created a
>>> >>>>> CSR on the Watchguard product. I have then signed the CSR with my CA
>>> >>>>> certificate successfully which then imports into the Watchguard.
>>> >>>>> Here's the problem: Watchguard requires that the cert be typed as
>>> >>>>> "Web" or "IPSec" if it is to be used for VPN tunnels. Everytime I
>>> >>>>> import my signed cert it shows up as a CA Cert type. I know this is
>>> >>>>> an interop question, but has any got an idea of what to try to get
>>> >>>>> this working? I've been at this for days now with no success.
>>> >>>>
>>> >>>> Look a the various settings for basic constraints, key usage and
>>> >>>> extended key usage as controlled in openssl.cnf ... basically you need
>>> >>>> to set them to match what Watchguard wants.
>>> >>>>
>>> >>>> Perhaps you have the v3_ca stuff set.
>>> >>>>
>>> >>>> The output of
>>> >>>> openssl x509 -text -noout cert.pem
>>> >>>> will let me see what you have set in the way of those extensions.
>>> >>>>
>>> >>>> If you have a working certificate and a non-working one then comparing
>>> >>>> the text output should help show what the requirements are.
>>> >>>>
>>> >>>> Tim.
>>> >>>
>>> >>> __________________________________________________ ____________________
>>> >>> OpenSSL Project http://www.openssl.org
>>> >>> User Support Mailing List openssl-users@openssl.org
>>> >>> Automated List Manager majordomo@openssl.org
>>> >>
>>> >> __________________________________________________ ____________________
>>> >> OpenSSL Project http://www.openssl.org
>>> >> User Support Mailing List openssl-users@openssl.org
>>> >> Automated List Manager majordomo@openssl.org
>>> >
>>> > __________________________________________________ ____________________
>>> > OpenSSL Project http://www.openssl.org
>>> > User Support Mailing List openssl-users@openssl.org
>>> > Automated List Manager majordomo@openssl.org
>>>
>>> __________________________________________________ ____________________
>>> OpenSSL Project http://www.openssl.org
>>> User Support Mailing List openssl-users@openssl.org
>>> Automated List Manager majordomo@openssl.org
>> __________________________________________________ ____________________
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing List openssl-users@openssl.org
>> Automated List Manager majordomo@openssl.org
>>
> __________________________________________________ ____________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majordomo@openssl.org
>
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org

Thanks to all of you in your assistance. With the recommended changes
to the openssl.cnf file, I have successfully signed the CSR from the
Watchguard box and imported it as a web cert (the Type that the
Watchguard box sees). However, in order to use it for VPN tunnels,
the device needs it to be a type IPSec. What is the extended key
usage setting for that?

On Tue, Aug 26, 2008 at 10:41 AM, Kyle Hamilton wrote:
> [usr_cert] is the appropriate section.
>
> This is above the [v3_req] section, at least in the vanilla 0.9.8h sources.
>
> -Kyle H
>
> On Tue, Aug 26, 2008 at 10:33 AM, Chris Zimmerman
> wrote:
>> What is the appropriate section?
>>
>> Sorry if this is a basic question, but I am working on improving my knowledge.
>>
>> On Tue, Aug 26, 2008 at 10:24 AM, Patrick Patterson
>> wrote:
>>> Chris:
>>>
>>> On Tuesday 26 August 2008 12:58:22 Kyle Hamilton wrote:
>>>> There is no ExtendedKeyUsage extension.
>>>>
>>>> To fix this, in your openssl.cnf file in section [usr_cert] there is a
>>>> commented-out line that needs to be uncommented.
>>>> # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
>>>>
>>>> Then generate a new certificate.
>>>>
>>> Actually - that will only set the keyUsage extension (Which you will need) -
>>> what you also want to set is to add a line to the appropriate section in the
>>> openssl.cnf file that you are using to generate the certificate below that
>>> that has:
>>>
>>> extendedKeyUsage = serverAuth,clientAuth
>>>
>>> And then regen the certificate.
>>>
>>> Have fun.
>>>
>>> Patrick.
>>>
>>>> -Kyle H
>>>>
>>>>
>>>> On Tue, Aug 26, 2008 at 9:20 AM, Chris Zimmerman
>>>>
>>>> wrote:
>>>> > Here's the cert for the Watchguard:
>>>> >
>>>> > Certificate:
>>>> > Data:
>>>> > Version: 3 (0x2)
>>>> > Serial Number: 15 (0xf)
>>>> > Signature Algorithm: sha1WithRSAEncryption
>>>> > Issuer: C=US, ST=TX, L=Somewhere, O=Company, OU=System,
>>>> > CN=Company Root CA/emailAddress=ca@company.com
>>>> > Validity
>>>> > Not Before: Aug 26 16:16:57 2008 GMT
>>>> > Not After : Aug 24 16:16:57 2018 GMT
>>>> > Subject: C=US, ST=TX, O=Company, OU=System, CN=WG
>>>> > Subject Public Key Info:
>>>> > Public Key Algorithm: rsaEncryption
>>>> > RSA Public Key: (1024 bit)
>>>> > Modulus (1024 bit):
>>>> > 00:c2:83:76:81:24:5c:48:09:71:66:bb:22:37:05:
>>>> > f3:8b:0b:f6:df:24:a0:ec:d8:65:ac:d5:77:7f:e0:
>>>> > 91:f1:86:a4:00:23:17:c2:28:1f:81:e0:6d:e8:24:
>>>> > e7:0a:bb:7e:a5:72:57:6d:65:cb:ec:7c:f1:d0:64:
>>>> > 63:9f:0d:0c:b3:4c:c6:e4:3f:7c:f9:1f:53:6b:c0:
>>>> > 47:3a:59:4d:87:37:e5:f6:4f:ef:75:20:5b:93:0b:
>>>> > f9:8b:d7:4b:b7:4c:0c:e2:8c:2e:34:ad:23:3e:c6:
>>>> > 89:1e:6f:3b:0d:52:25:69:d2:42:d3:de:cd:cd:e3:
>>>> > ef:80:8a:e0:2d:1c:20:8f:6b
>>>> > Exponent: 65537 (0x10001)
>>>> > X509v3 extensions:
>>>> > X509v3 Basic Constraints:
>>>> > CA:FALSE
>>>> > Netscape Comment:
>>>> > OpenSSL Generated Certificate
>>>> > X509v3 Subject Key Identifier:
>>>> >
>>>> > 3E:BB:9E:11:45:7B:F7:5E:BD:1D:F9:CE:A1:A9:E17:7C :71:A5:FF X509v3
>>>> > Authority Key Identifier:
>>>> >
>>>> > keyidB:E2:B6:28:36:12:83:63:B2:FA:87:E1:64:FB:44 :F7:58:A0:8A:E8
>>>> >
>>>> > Signature Algorithm: sha1WithRSAEncryption
>>>> > 7b:b7:d0:ca:42:96:24:6a:26:e1:a4:e1:45:91:d1:28:14 :97:
>>>> > e2:ea:dc:d6:59:97:73:ef:1a:5a:54:a4:33:fe:c2:0c:74 :ca:
>>>> > 6b:e4:85:4c:a0:9d:49:7a:1a:b0:fd:48:5c:6a:bc:de:44 :53:
>>>> > 73:23:bc:0f:ab:b6:cb:49:5a:53:2c:5c:d5:24:23:3b:e6 :da:
>>>> > 16:22:d4:db:1c:82:ac:7a:37:01:0f:a5:4e:24:92:2b:bc :2e:
>>>> > 33:01:4d:5e:c3:7f:91:0f:3d:1d:ea:b8:8d:ad:38:ed:ab :44:
>>>> > b7:2d:82:7b:c3:0d:2a:a2:21:8a:58:25:ac:c4:cb:f0:57 :4e:
>>>> > ed:ec
>>>> >
>>>> > On Tue, Aug 26, 2008 at 9:14 AM, Kyle Hamilton wrote:
>>>> >> openssl x509 -in [filename] -noout -text -inform PEM
>>>> >>
>>>> >> -Kyle H
>>>> >>
>>>> >> On Tue, Aug 26, 2008 at 8:44 AM, Chris Zimmerman
>>>> >>
>>>> >> wrote:
>>>> >>> That command seems to have a syntax problem, showing: "unknown option
>>>> >>> [cert.pem-inserted my cert here]"
>>>> >>>
>>>> >>> On Mon, Aug 25, 2008 at 10:55 PM, Tim Hudson wrote:
>>>> >>>> Chris Zimmerman wrote:
>>>> >>>>> I am working to setup a Watchguard firewall with x509 certs for VPN
>>>> >>>>> tunnels. I have created my own CA on my laptop and I have created a
>>>> >>>>> CSR on the Watchguard product. I have then signed the CSR with my CA
>>>> >>>>> certificate successfully which then imports into the Watchguard.
>>>> >>>>> Here's the problem: Watchguard requires that the cert be typed as
>>>> >>>>> "Web" or "IPSec" if it is to be used for VPN tunnels. Everytime I
>>>> >>>>> import my signed cert it shows up as a CA Cert type. I know this is
>>>> >>>>> an interop question, but has any got an idea of what to try to get
>>>> >>>>> this working? I've been at this for days now with no success.
>>>> >>>>
>>>> >>>> Look a the various settings for basic constraints, key usage and
>>>> >>>> extended key usage as controlled in openssl.cnf ... basically you need
>>>> >>>> to set them to match what Watchguard wants.
>>>> >>>>
>>>> >>>> Perhaps you have the v3_ca stuff set.
>>>> >>>>
>>>> >>>> The output of
>>>> >>>> openssl x509 -text -noout cert.pem
>>>> >>>> will let me see what you have set in the way of those extensions.
>>>> >>>>
>>>> >>>> If you have a working certificate and a non-working one then comparing
>>>> >>>> the text output should help show what the requirements are.
>>>> >>>>
>>>> >>>> Tim.
>>>> >>>
>>>> >>> __________________________________________________ ____________________
>>>> >>> OpenSSL Project http://www.openssl.org
>>>> >>> User Support Mailing List openssl-users@openssl.org
>>>> >>> Automated List Manager majordomo@openssl.org
>>>> >>
>>>> >> __________________________________________________ ____________________
>>>> >> OpenSSL Project http://www.openssl.org
>>>> >> User Support Mailing List openssl-users@openssl.org
>>>> >> Automated List Manager majordomo@openssl.org
>>>> >
>>>> > __________________________________________________ ____________________
>>>> > OpenSSL Project http://www.openssl.org
>>>> > User Support Mailing List openssl-users@openssl.org
>>>> > Automated List Manager majordomo@openssl.org
>>>>
>>>> __________________________________________________ ____________________
>>>> OpenSSL Project http://www.openssl.org
>>>> User Support Mailing List openssl-users@openssl.org
>>>> Automated List Manager majordomo@openssl.org
>>> __________________________________________________ ____________________
>>> OpenSSL Project http://www.openssl.org
>>> User Support Mailing List openssl-users@openssl.org
>>> Automated List Manager majordomo@openssl.org
>>>
>> __________________________________________________ ____________________
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing List openssl-users@openssl.org
>> Automated List Manager majordomo@openssl.org
>>
> __________________________________________________ ____________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majordomo@openssl.org
>
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org

Hi Chris:

Chris Zimmerman wrote:
> Thanks to all of you in your assistance. With the recommended changes
> to the openssl.cnf file, I have successfully signed the CSR from the
> Watchguard box and imported it as a web cert (the Type that the
> Watchguard box sees). However, in order to use it for VPN tunnels,
> the device needs it to be a type IPSec. What is the extended key
> usage setting for that?
>
(Just as a future hint - "ipsec extendedKeyUsage" into google pulls up
the relevant information

However, as I said in my first mail to you on this topic, you'll have to
see whether it wants one of:

ipsecTunnel
ipsecEndSystem
ipsecUser

Also, as I said in my other mail, I'm not sure if OpenSSL supports these.

So, if they are not supported, you'll have to use the [OIDs] section in
the openssl.cnf file to define them ('man config' will tell you how to
do this), and then look up the extension OID values in the right RFC
(the above mentioned search will help you track that down), put the
name/OID pairs in there, and then define the correct value in the
extendedKeyUsage entry.

Have fun.

Patrick
> On Tue, Aug 26, 2008 at 10:41 AM, Kyle Hamilton wrote:
>> [usr_cert] is the appropriate section.
>>
>> This is above the [v3_req] section, at least in the vanilla 0.9.8h sources.
>>
>> -Kyle H
>>
>> On Tue, Aug 26, 2008 at 10:33 AM, Chris Zimmerman
>> wrote:
>>> What is the appropriate section?
>>>
>>> Sorry if this is a basic question, but I am working on improving my knowledge.
>>>
>>> On Tue, Aug 26, 2008 at 10:24 AM, Patrick Patterson
>>> wrote:
>>>> Chris:
>>>>
>>>> On Tuesday 26 August 2008 12:58:22 Kyle Hamilton wrote:
>>>>> There is no ExtendedKeyUsage extension.
>>>>>
>>>>> To fix this, in your openssl.cnf file in section [usr_cert] there is a
>>>>> commented-out line that needs to be uncommented.
>>>>> # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
>>>>>
>>>>> Then generate a new certificate.
>>>>>
>>>> Actually - that will only set the keyUsage extension (Which you will need) -
>>>> what you also want to set is to add a line to the appropriate section in the
>>>> openssl.cnf file that you are using to generate the certificate below that
>>>> that has:
>>>>
>>>> extendedKeyUsage = serverAuth,clientAuth
>>>>
>>>> And then regen the certificate.
>>>>
>>>> Have fun.
>>>>
>>>> Patrick.
>>>>
>>>>> -Kyle H
>>>>>
>>>>>
>>>>> On Tue, Aug 26, 2008 at 9:20 AM, Chris Zimmerman
>>>>>
>>>>> wrote:
>>>>>> Here's the cert for the Watchguard:
>>>>>>
>>>>>> Certificate:
>>>>>> Data:
>>>>>> Version: 3 (0x2)
>>>>>> Serial Number: 15 (0xf)
>>>>>> Signature Algorithm: sha1WithRSAEncryption
>>>>>> Issuer: C=US, ST=TX, L=Somewhere, O=Company, OU=System,
>>>>>> CN=Company Root CA/emailAddress=ca@company.com
>>>>>> Validity
>>>>>> Not Before: Aug 26 16:16:57 2008 GMT
>>>>>> Not After : Aug 24 16:16:57 2018 GMT
>>>>>> Subject: C=US, ST=TX, O=Company, OU=System, CN=WG
>>>>>> Subject Public Key Info:
>>>>>> Public Key Algorithm: rsaEncryption
>>>>>> RSA Public Key: (1024 bit)
>>>>>> Modulus (1024 bit):
>>>>>> 00:c2:83:76:81:24:5c:48:09:71:66:bb:22:37:05:
>>>>>> f3:8b:0b:f6:df:24:a0:ec:d8:65:ac:d5:77:7f:e0:
>>>>>> 91:f1:86:a4:00:23:17:c2:28:1f:81:e0:6d:e8:24:
>>>>>> e7:0a:bb:7e:a5:72:57:6d:65:cb:ec:7c:f1:d0:64:
>>>>>> 63:9f:0d:0c:b3:4c:c6:e4:3f:7c:f9:1f:53:6b:c0:
>>>>>> 47:3a:59:4d:87:37:e5:f6:4f:ef:75:20:5b:93:0b:
>>>>>> f9:8b:d7:4b:b7:4c:0c:e2:8c:2e:34:ad:23:3e:c6:
>>>>>> 89:1e:6f:3b:0d:52:25:69:d2:42:d3:de:cd:cd:e3:
>>>>>> ef:80:8a:e0:2d:1c:20:8f:6b
>>>>>> Exponent: 65537 (0x10001)
>>>>>> X509v3 extensions:
>>>>>> X509v3 Basic Constraints:
>>>>>> CA:FALSE
>>>>>> Netscape Comment:
>>>>>> OpenSSL Generated Certificate
>>>>>> X509v3 Subject Key Identifier:
>>>>>>
>>>>>> 3E:BB:9E:11:45:7B:F7:5E:BD:1D:F9:CE:A1:A9:E17:7C :71:A5:FF X509v3
>>>>>> Authority Key Identifier:
>>>>>>
>>>>>> keyidB:E2:B6:28:36:12:83:63:B2:FA:87:E1:64:FB:44 :F7:58:A0:8A:E8
>>>>>>
>>>>>> Signature Algorithm: sha1WithRSAEncryption
>>>>>> 7b:b7:d0:ca:42:96:24:6a:26:e1:a4:e1:45:91:d1:28:14 :97:
>>>>>> e2:ea:dc:d6:59:97:73:ef:1a:5a:54:a4:33:fe:c2:0c:74 :ca:
>>>>>> 6b:e4:85:4c:a0:9d:49:7a:1a:b0:fd:48:5c:6a:bc:de:44 :53:
>>>>>> 73:23:bc:0f:ab:b6:cb:49:5a:53:2c:5c:d5:24:23:3b:e6 :da:
>>>>>> 16:22:d4:db:1c:82:ac:7a:37:01:0f:a5:4e:24:92:2b:bc :2e:
>>>>>> 33:01:4d:5e:c3:7f:91:0f:3d:1d:ea:b8:8d:ad:38:ed:ab :44:
>>>>>> b7:2d:82:7b:c3:0d:2a:a2:21:8a:58:25:ac:c4:cb:f0:57 :4e:
>>>>>> ed:ec
>>>>>>
>>>>>> On Tue, Aug 26, 2008 at 9:14 AM, Kyle Hamilton wrote:
>>>>>>> openssl x509 -in [filename] -noout -text -inform PEM
>>>>>>>
>>>>>>> -Kyle H
>>>>>>>
>>>>>>> On Tue, Aug 26, 2008 at 8:44 AM, Chris Zimmerman
>>>>>>>
>>>>>>> wrote:
>>>>>>>> That command seems to have a syntax problem, showing: "unknown option
>>>>>>>> [cert.pem-inserted my cert here]"
>>>>>>>>
>>>>>>>> On Mon, Aug 25, 2008 at 10:55 PM, Tim Hudson wrote:
>>>>>>>>> Chris Zimmerman wrote:
>>>>>>>>>> I am working to setup a Watchguard firewall with x509 certs for VPN
>>>>>>>>>> tunnels. I have created my own CA on my laptop and I have created a
>>>>>>>>>> CSR on the Watchguard product. I have then signed the CSR with my CA
>>>>>>>>>> certificate successfully which then imports into the Watchguard.
>>>>>>>>>> Here's the problem: Watchguard requires that the cert be typed as
>>>>>>>>>> "Web" or "IPSec" if it is to be used for VPN tunnels. Everytime I
>>>>>>>>>> import my signed cert it shows up as a CA Cert type. I know this is
>>>>>>>>>> an interop question, but has any got an idea of what to try to get
>>>>>>>>>> this working? I've been at this for days now with no success.
>>>>>>>>> Look a the various settings for basic constraints, key usage and
>>>>>>>>> extended key usage as controlled in openssl.cnf ... basically you need
>>>>>>>>> to set them to match what Watchguard wants.
>>>>>>>>>
>>>>>>>>> Perhaps you have the v3_ca stuff set.
>>>>>>>>>
>>>>>>>>> The output of
>>>>>>>>> openssl x509 -text -noout cert.pem
>>>>>>>>> will let me see what you have set in the way of those extensions.
>>>>>>>>>
>>>>>>>>> If you have a working certificate and a non-working one then comparing
>>>>>>>>> the text output should help show what the requirements are.
>>>>>>>>>
>>>>>>>>> Tim.
>>>>>>>> __________________________________________________ ____________________
>>>>>>>> OpenSSL Project http://www.openssl.org
>>>>>>>> User Support Mailing List openssl-users@openssl.org
>>>>>>>> Automated List Manager majordomo@openssl.org
>>>>>>> __________________________________________________ ____________________
>>>>>>> OpenSSL Project http://www.openssl.org
>>>>>>> User Support Mailing List openssl-users@openssl.org
>>>>>>> Automated List Manager majordomo@openssl.org
>>>>>> __________________________________________________ ____________________
>>>>>> OpenSSL Project http://www.openssl.org
>>>>>> User Support Mailing List openssl-users@openssl.org
>>>>>> Automated List Manager majordomo@openssl.org
>>>>> __________________________________________________ ____________________
>>>>> OpenSSL Project http://www.openssl.org
>>>>> User Support Mailing List openssl-users@openssl.org
>>>>> Automated List Manager majordomo@openssl.org
>>>> __________________________________________________ ____________________
>>>> OpenSSL Project http://www.openssl.org
>>>> User Support Mailing List openssl-users@openssl.org
>>>> Automated List Manager majordomo@openssl.org
>>>>
>>> __________________________________________________ ____________________
>>> OpenSSL Project http://www.openssl.org
>>> User Support Mailing List openssl-users@openssl.org
>>> Automated List Manager majordomo@openssl.org
>>>
>> __________________________________________________ ____________________
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing List openssl-users@openssl.org
>> Automated List Manager majordomo@openssl.org
>>
> __________________________________________________ ____________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majordomo@openssl.org

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org

This is a bug, per RFC 4549. Please submit a report to your vendor.
(The semantics of the OIDs were never well-defined, and they have been
obsoleted -- according to RFC4549, having keyUsage=digitalSignature
and no EKU should work for IPsec.)

In the [new_oids] section, add new lines:

pkixeku=1.3.6.1.5.5.7.3
ipsecendsystem=${pkixeku}.5
ipsectunnel=${pkixeku}.6
ipsecuser=${pkixeku}.7

and then in [usr_cert] change your extendedKeyUsage line to:

extendedKeyUsage=serverAuth,clientAuth,ipsecIKE,ip secendsystem,ipsectunnel,ipsecuser

This /should/ do it, but since I don't do anything with IPsec I can't
test it. My reference is
http://www.alvestrand.no/objectid/1.3.6.1.5.5.7.3.html

-Kyle H

On Tue, Aug 26, 2008 at 1:17 PM, Chris Zimmerman
wrote:
> Thanks to all of you in your assistance. With the recommended changes
> to the openssl.cnf file, I have successfully signed the CSR from the
> Watchguard box and imported it as a web cert (the Type that the
> Watchguard box sees). However, in order to use it for VPN tunnels,
> the device needs it to be a type IPSec. What is the extended key
> usage setting for that?
>
> On Tue, Aug 26, 2008 at 10:41 AM, Kyle Hamilton wrote:
>> [usr_cert] is the appropriate section.
>>
>> This is above the [v3_req] section, at least in the vanilla 0.9.8h sources.
>>
>> -Kyle H
>>
>> On Tue, Aug 26, 2008 at 10:33 AM, Chris Zimmerman
>> wrote:
>>> What is the appropriate section?
>>>
>>> Sorry if this is a basic question, but I am working on improving my knowledge.
>>>
>>> On Tue, Aug 26, 2008 at 10:24 AM, Patrick Patterson
>>> wrote:
>>>> Chris:
>>>>
>>>> On Tuesday 26 August 2008 12:58:22 Kyle Hamilton wrote:
>>>>> There is no ExtendedKeyUsage extension.
>>>>>
>>>>> To fix this, in your openssl.cnf file in section [usr_cert] there is a
>>>>> commented-out line that needs to be uncommented.
>>>>> # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
>>>>>
>>>>> Then generate a new certificate.
>>>>>
>>>> Actually - that will only set the keyUsage extension (Which you will need) -
>>>> what you also want to set is to add a line to the appropriate section in the
>>>> openssl.cnf file that you are using to generate the certificate below that
>>>> that has:
>>>>
>>>> extendedKeyUsage = serverAuth,clientAuth
>>>>
>>>> And then regen the certificate.
>>>>
>>>> Have fun.
>>>>
>>>> Patrick.
>>>>
>>>>> -Kyle H
>>>>>
>>>>>
>>>>> On Tue, Aug 26, 2008 at 9:20 AM, Chris Zimmerman
>>>>>
>>>>> wrote:
>>>>> > Here's the cert for the Watchguard:
>>>>> >
>>>>> > Certificate:
>>>>> > Data:
>>>>> > Version: 3 (0x2)
>>>>> > Serial Number: 15 (0xf)
>>>>> > Signature Algorithm: sha1WithRSAEncryption
>>>>> > Issuer: C=US, ST=TX, L=Somewhere, O=Company, OU=System,
>>>>> > CN=Company Root CA/emailAddress=ca@company.com
>>>>> > Validity
>>>>> > Not Before: Aug 26 16:16:57 2008 GMT
>>>>> > Not After : Aug 24 16:16:57 2018 GMT
>>>>> > Subject: C=US, ST=TX, O=Company, OU=System, CN=WG
>>>>> > Subject Public Key Info:
>>>>> > Public Key Algorithm: rsaEncryption
>>>>> > RSA Public Key: (1024 bit)
>>>>> > Modulus (1024 bit):
>>>>> > 00:c2:83:76:81:24:5c:48:09:71:66:bb:22:37:05:
>>>>> > f3:8b:0b:f6:df:24:a0:ec:d8:65:ac:d5:77:7f:e0:
>>>>> > 91:f1:86:a4:00:23:17:c2:28:1f:81:e0:6d:e8:24:
>>>>> > e7:0a:bb:7e:a5:72:57:6d:65:cb:ec:7c:f1:d0:64:
>>>>> > 63:9f:0d:0c:b3:4c:c6:e4:3f:7c:f9:1f:53:6b:c0:
>>>>> > 47:3a:59:4d:87:37:e5:f6:4f:ef:75:20:5b:93:0b:
>>>>> > f9:8b:d7:4b:b7:4c:0c:e2:8c:2e:34:ad:23:3e:c6:
>>>>> > 89:1e:6f:3b:0d:52:25:69:d2:42:d3:de:cd:cd:e3:
>>>>> > ef:80:8a:e0:2d:1c:20:8f:6b
>>>>> > Exponent: 65537 (0x10001)
>>>>> > X509v3 extensions:
>>>>> > X509v3 Basic Constraints:
>>>>> > CA:FALSE
>>>>> > Netscape Comment:
>>>>> > OpenSSL Generated Certificate
>>>>> > X509v3 Subject Key Identifier:
>>>>> >
>>>>> > 3E:BB:9E:11:45:7B:F7:5E:BD:1D:F9:CE:A1:A9:E17:7C :71:A5:FF X509v3
>>>>> > Authority Key Identifier:
>>>>> >
>>>>> > keyidB:E2:B6:28:36:12:83:63:B2:FA:87:E1:64:FB:44 :F7:58:A0:8A:E8
>>>>> >
>>>>> > Signature Algorithm: sha1WithRSAEncryption
>>>>> > 7b:b7:d0:ca:42:96:24:6a:26:e1:a4:e1:45:91:d1:28:14 :97:
>>>>> > e2:ea:dc:d6:59:97:73:ef:1a:5a:54:a4:33:fe:c2:0c:74 :ca:
>>>>> > 6b:e4:85:4c:a0:9d:49:7a:1a:b0:fd:48:5c:6a:bc:de:44 :53:
>>>>> > 73:23:bc:0f:ab:b6:cb:49:5a:53:2c:5c:d5:24:23:3b:e6 :da:
>>>>> > 16:22:d4:db:1c:82:ac:7a:37:01:0f:a5:4e:24:92:2b:bc :2e:
>>>>> > 33:01:4d:5e:c3:7f:91:0f:3d:1d:ea:b8:8d:ad:38:ed:ab :44:
>>>>> > b7:2d:82:7b:c3:0d:2a:a2:21:8a:58:25:ac:c4:cb:f0:57 :4e:
>>>>> > ed:ec
>>>>> >
>>>>> > On Tue, Aug 26, 2008 at 9:14 AM, Kyle Hamilton wrote:
>>>>> >> openssl x509 -in [filename] -noout -text -inform PEM
>>>>> >>
>>>>> >> -Kyle H
>>>>> >>
>>>>> >> On Tue, Aug 26, 2008 at 8:44 AM, Chris Zimmerman
>>>>> >>
>>>>> >> wrote:
>>>>> >>> That command seems to have a syntax problem, showing: "unknown option
>>>>> >>> [cert.pem-inserted my cert here]"
>>>>> >>>
>>>>> >>> On Mon, Aug 25, 2008 at 10:55 PM, Tim Hudson wrote:
>>>>> >>>> Chris Zimmerman wrote:
>>>>> >>>>> I am working to setup a Watchguard firewall with x509 certs for VPN
>>>>> >>>>> tunnels. I have created my own CA on my laptop and I have created a
>>>>> >>>>> CSR on the Watchguard product. I have then signed the CSR with my CA
>>>>> >>>>> certificate successfully which then imports into the Watchguard.
>>>>> >>>>> Here's the problem: Watchguard requires that the cert be typed as
>>>>> >>>>> "Web" or "IPSec" if it is to be used for VPN tunnels. Everytime I
>>>>> >>>>> import my signed cert it shows up as a CA Cert type. I know this is
>>>>> >>>>> an interop question, but has any got an idea of what to try to get
>>>>> >>>>> this working? I've been at this for days now with no success.
>>>>> >>>>
>>>>> >>>> Look a the various settings for basic constraints, key usage and
>>>>> >>>> extended key usage as controlled in openssl.cnf ... basically you need
>>>>> >>>> to set them to match what Watchguard wants.
>>>>> >>>>
>>>>> >>>> Perhaps you have the v3_ca stuff set.
>>>>> >>>>
>>>>> >>>> The output of
>>>>> >>>> openssl x509 -text -noout cert.pem
>>>>> >>>> will let me see what you have set in the way of those extensions.
>>>>> >>>>
>>>>> >>>> If you have a working certificate and a non-working one then comparing
>>>>> >>>> the text output should help show what the requirements are.
>>>>> >>>>
>>>>> >>>> Tim.
>>>>> >>>
>>>>> >>> __________________________________________________ ____________________
>>>>> >>> OpenSSL Project http://www.openssl.org
>>>>> >>> User Support Mailing List openssl-users@openssl.org
>>>>> >>> Automated List Manager majordomo@openssl.org
>>>>> >>
>>>>> >> __________________________________________________ ____________________
>>>>> >> OpenSSL Project http://www.openssl.org
>>>>> >> User Support Mailing List openssl-users@openssl.org
>>>>> >> Automated List Manager majordomo@openssl.org
>>>>> >
>>>>> > __________________________________________________ ____________________
>>>>> > OpenSSL Project http://www.openssl.org
>>>>> > User Support Mailing List openssl-users@openssl.org
>>>>> > Automated List Manager majordomo@openssl.org
>>>>>
>>>>> __________________________________________________ ____________________
>>>>> OpenSSL Project http://www.openssl.org
>>>>> User Support Mailing List openssl-users@openssl.org
>>>>> Automated List Manager majordomo@openssl.org
>>>> __________________________________________________ ____________________
>>>> OpenSSL Project http://www.openssl.org
>>>> User Support Mailing List openssl-users@openssl.org
>>>> Automated List Manager majordomo@openssl.org
>>>>
>>> __________________________________________________ ____________________
>>> OpenSSL Project http://www.openssl.org
>>> User Support Mailing List openssl-users@openssl.org
>>> Automated List Manager majordomo@openssl.org
>>>
>> __________________________________________________ ____________________
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing List openssl-users@openssl.org
>> Automated List Manager majordomo@openssl.org
>>
> __________________________________________________ ____________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majordomo@openssl.org
>
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org

Well, those attributes will work (minus the IKE one-it was not
recognized) but the Watchguard does not assign it with a type of
IPSec, so I've contacted Watchguard support to request the expected
extended attributes for this. I will post a reply as soon as I know.

On Tue, Aug 26, 2008 at 1:41 PM, Kyle Hamilton wrote:
> This is a bug, per RFC 4549. Please submit a report to your vendor.
> (The semantics of the OIDs were never well-defined, and they have been
> obsoleted -- according to RFC4549, having keyUsage=digitalSignature
> and no EKU should work for IPsec.)
>
> In the [new_oids] section, add new lines:
>
> pkixeku=1.3.6.1.5.5.7.3
> ipsecendsystem=${pkixeku}.5
> ipsectunnel=${pkixeku}.6
> ipsecuser=${pkixeku}.7
>
> and then in [usr_cert] change your extendedKeyUsage line to:
>
> extendedKeyUsage=serverAuth,clientAuth,ipsecIKE,ip secendsystem,ipsectunnel,ipsecuser
>
> This /should/ do it, but since I don't do anything with IPsec I can't
> test it. My reference is
> http://www.alvestrand.no/objectid/1.3.6.1.5.5.7.3.html
>
> -Kyle H
>
> On Tue, Aug 26, 2008 at 1:17 PM, Chris Zimmerman
> wrote:
>> Thanks to all of you in your assistance. With the recommended changes
>> to the openssl.cnf file, I have successfully signed the CSR from the
>> Watchguard box and imported it as a web cert (the Type that the
>> Watchguard box sees). However, in order to use it for VPN tunnels,
>> the device needs it to be a type IPSec. What is the extended key
>> usage setting for that?
>>
>> On Tue, Aug 26, 2008 at 10:41 AM, Kyle Hamilton wrote:
>>> [usr_cert] is the appropriate section.
>>>
>>> This is above the [v3_req] section, at least in the vanilla 0.9.8h sources.
>>>
>>> -Kyle H
>>>
>>> On Tue, Aug 26, 2008 at 10:33 AM, Chris Zimmerman
>>> wrote:
>>>> What is the appropriate section?
>>>>
>>>> Sorry if this is a basic question, but I am working on improving my knowledge.
>>>>
>>>> On Tue, Aug 26, 2008 at 10:24 AM, Patrick Patterson
>>>> wrote:
>>>>> Chris:
>>>>>
>>>>> On Tuesday 26 August 2008 12:58:22 Kyle Hamilton wrote:
>>>>>> There is no ExtendedKeyUsage extension.
>>>>>>
>>>>>> To fix this, in your openssl.cnf file in section [usr_cert] there is a
>>>>>> commented-out line that needs to be uncommented.
>>>>>> # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
>>>>>>
>>>>>> Then generate a new certificate.
>>>>>>
>>>>> Actually - that will only set the keyUsage extension (Which you will need) -
>>>>> what you also want to set is to add a line to the appropriate section in the
>>>>> openssl.cnf file that you are using to generate the certificate below that
>>>>> that has:
>>>>>
>>>>> extendedKeyUsage = serverAuth,clientAuth
>>>>>
>>>>> And then regen the certificate.
>>>>>
>>>>> Have fun.
>>>>>
>>>>> Patrick.
>>>>>
>>>>>> -Kyle H
>>>>>>
>>>>>>
>>>>>> On Tue, Aug 26, 2008 at 9:20 AM, Chris Zimmerman
>>>>>>
>>>>>> wrote:
>>>>>> > Here's the cert for the Watchguard:
>>>>>> >
>>>>>> > Certificate:
>>>>>> > Data:
>>>>>> > Version: 3 (0x2)
>>>>>> > Serial Number: 15 (0xf)
>>>>>> > Signature Algorithm: sha1WithRSAEncryption
>>>>>> > Issuer: C=US, ST=TX, L=Somewhere, O=Company, OU=System,
>>>>>> > CN=Company Root CA/emailAddress=ca@company.com
>>>>>> > Validity
>>>>>> > Not Before: Aug 26 16:16:57 2008 GMT
>>>>>> > Not After : Aug 24 16:16:57 2018 GMT
>>>>>> > Subject: C=US, ST=TX, O=Company, OU=System, CN=WG
>>>>>> > Subject Public Key Info:
>>>>>> > Public Key Algorithm: rsaEncryption
>>>>>> > RSA Public Key: (1024 bit)
>>>>>> > Modulus (1024 bit):
>>>>>> > 00:c2:83:76:81:24:5c:48:09:71:66:bb:22:37:05:
>>>>>> > f3:8b:0b:f6:df:24:a0:ec:d8:65:ac:d5:77:7f:e0:
>>>>>> > 91:f1:86:a4:00:23:17:c2:28:1f:81:e0:6d:e8:24:
>>>>>> > e7:0a:bb:7e:a5:72:57:6d:65:cb:ec:7c:f1:d0:64:
>>>>>> > 63:9f:0d:0c:b3:4c:c6:e4:3f:7c:f9:1f:53:6b:c0:
>>>>>> > 47:3a:59:4d:87:37:e5:f6:4f:ef:75:20:5b:93:0b:
>>>>>> > f9:8b:d7:4b:b7:4c:0c:e2:8c:2e:34:ad:23:3e:c6:
>>>>>> > 89:1e:6f:3b:0d:52:25:69:d2:42:d3:de:cd:cd:e3:
>>>>>> > ef:80:8a:e0:2d:1c:20:8f:6b
>>>>>> > Exponent: 65537 (0x10001)
>>>>>> > X509v3 extensions:
>>>>>> > X509v3 Basic Constraints:
>>>>>> > CA:FALSE
>>>>>> > Netscape Comment:
>>>>>> > OpenSSL Generated Certificate
>>>>>> > X509v3 Subject Key Identifier:
>>>>>> >
>>>>>> > 3E:BB:9E:11:45:7B:F7:5E:BD:1D:F9:CE:A1:A9:E17:7C :71:A5:FF X509v3
>>>>>> > Authority Key Identifier:
>>>>>> >
>>>>>> > keyidB:E2:B6:28:36:12:83:63:B2:FA:87:E1:64:FB:44 :F7:58:A0:8A:E8
>>>>>> >
>>>>>> > Signature Algorithm: sha1WithRSAEncryption
>>>>>> > 7b:b7:d0:ca:42:96:24:6a:26:e1:a4:e1:45:91:d1:28:14 :97:
>>>>>> > e2:ea:dc:d6:59:97:73:ef:1a:5a:54:a4:33:fe:c2:0c:74 :ca:
>>>>>> > 6b:e4:85:4c:a0:9d:49:7a:1a:b0:fd:48:5c:6a:bc:de:44 :53:
>>>>>> > 73:23:bc:0f:ab:b6:cb:49:5a:53:2c:5c:d5:24:23:3b:e6 :da:
>>>>>> > 16:22:d4:db:1c:82:ac:7a:37:01:0f:a5:4e:24:92:2b:bc :2e:
>>>>>> > 33:01:4d:5e:c3:7f:91:0f:3d:1d:ea:b8:8d:ad:38:ed:ab :44:
>>>>>> > b7:2d:82:7b:c3:0d:2a:a2:21:8a:58:25:ac:c4:cb:f0:57 :4e:
>>>>>> > ed:ec
>>>>>> >
>>>>>> > On Tue, Aug 26, 2008 at 9:14 AM, Kyle Hamilton wrote:
>>>>>> >> openssl x509 -in [filename] -noout -text -inform PEM
>>>>>> >>
>>>>>> >> -Kyle H
>>>>>> >>
>>>>>> >> On Tue, Aug 26, 2008 at 8:44 AM, Chris Zimmerman
>>>>>> >>
>>>>>> >> wrote:
>>>>>> >>> That command seems to have a syntax problem, showing: "unknown option
>>>>>> >>> [cert.pem-inserted my cert here]"
>>>>>> >>>
>>>>>> >>> On Mon, Aug 25, 2008 at 10:55 PM, Tim Hudson wrote:
>>>>>> >>>> Chris Zimmerman wrote:
>>>>>> >>>>> I am working to setup a Watchguard firewall with x509 certs for VPN
>>>>>> >>>>> tunnels. I have created my own CA on my laptop and I have created a
>>>>>> >>>>> CSR on the Watchguard product. I have then signed the CSR with my CA
>>>>>> >>>>> certificate successfully which then imports into the Watchguard.
>>>>>> >>>>> Here's the problem: Watchguard requires that the cert be typed as
>>>>>> >>>>> "Web" or "IPSec" if it is to be used for VPN tunnels. Everytime I
>>>>>> >>>>> import my signed cert it shows up as a CA Cert type. I know this is
>>>>>> >>>>> an interop question, but has any got an idea of what to try to get
>>>>>> >>>>> this working? I've been at this for days now with no success.
>>>>>> >>>>
>>>>>> >>>> Look a the various settings for basic constraints, key usage and
>>>>>> >>>> extended key usage as controlled in openssl.cnf ... basically you need
>>>>>> >>>> to set them to match what Watchguard wants.
>>>>>> >>>>
>>>>>> >>>> Perhaps you have the v3_ca stuff set.
>>>>>> >>>>
>>>>>> >>>> The output of
>>>>>> >>>> openssl x509 -text -noout cert.pem
>>>>>> >>>> will let me see what you have set in the way of those extensions.
>>>>>> >>>>
>>>>>> >>>> If you have a working certificate and a non-working one then comparing
>>>>>> >>>> the text output should help show what the requirements are.
>>>>>> >>>>
>>>>>> >>>> Tim.
>>>>>> >>>
>>>>>> >>> __________________________________________________ ____________________
>>>>>> >>> OpenSSL Project http://www.openssl.org
>>>>>> >>> User Support Mailing List openssl-users@openssl.org
>>>>>> >>> Automated List Manager majordomo@openssl.org
>>>>>> >>
>>>>>> >> __________________________________________________ ____________________
>>>>>> >> OpenSSL Project http://www.openssl.org
>>>>>> >> User Support Mailing List openssl-users@openssl.org
>>>>>> >> Automated List Manager majordomo@openssl.org
>>>>>> >
>>>>>> > __________________________________________________ ____________________
>>>>>> > OpenSSL Project http://www.openssl.org
>>>>>> > User Support Mailing List openssl-users@openssl.org
>>>>>> > Automated List Manager majordomo@openssl.org
>>>>>>
>>>>>> __________________________________________________ ____________________
>>>>>> OpenSSL Project http://www.openssl.org
>>>>>> User Support Mailing List openssl-users@openssl.org
>>>>>> Automated List Manager majordomo@openssl.org
>>>>> __________________________________________________ ____________________
>>>>> OpenSSL Project http://www.openssl.org
>>>>> User Support Mailing List openssl-users@openssl.org
>>>>> Automated List Manager majordomo@openssl.org
>>>>>
>>>> __________________________________________________ ____________________
>>>> OpenSSL Project http://www.openssl.org
>>>> User Support Mailing List openssl-users@openssl.org
>>>> Automated List Manager majordomo@openssl.org
>>>>
>>> __________________________________________________ ____________________
>>> OpenSSL Project http://www.openssl.org
>>> User Support Mailing List openssl-users@openssl.org
>>> Automated List Manager majordomo@openssl.org
>>>
>> __________________________________________________ ____________________
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing List openssl-users@openssl.org
>> Automated List Manager majordomo@openssl.org
>>
> __________________________________________________ ____________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majordomo@openssl.org
>
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org

Here's what I had to add to the config to get it to work (as listed by
the vendor):

[ new_oids ]
pkixeku=1.3.6.1.5.5.8.2
ikeIntermediate=${pkixeku}.2

[ usr_cert ]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth,clientAuth,ikeIntermediate

Any thoughts on why this works?



On Tue, Aug 26, 2008 at 2:50 PM, Chris Zimmerman
wrote:
> Well, those attributes will work (minus the IKE one-it was not
> recognized) but the Watchguard does not assign it with a type of
> IPSec, so I've contacted Watchguard support to request the expected
> extended attributes for this. I will post a reply as soon as I know.
>
> On Tue, Aug 26, 2008 at 1:41 PM, Kyle Hamilton wrote:
>> This is a bug, per RFC 4549. Please submit a report to your vendor.
>> (The semantics of the OIDs were never well-defined, and they have been
>> obsoleted -- according to RFC4549, having keyUsage=digitalSignature
>> and no EKU should work for IPsec.)
>>
>> In the [new_oids] section, add new lines:
>>
>> pkixeku=1.3.6.1.5.5.7.3
>> ipsecendsystem=${pkixeku}.5
>> ipsectunnel=${pkixeku}.6
>> ipsecuser=${pkixeku}.7
>>
>> and then in [usr_cert] change your extendedKeyUsage line to:
>>
>> extendedKeyUsage=serverAuth,clientAuth,ipsecIKE,ip secendsystem,ipsectunnel,ipsecuser
>>
>> This /should/ do it, but since I don't do anything with IPsec I can't
>> test it. My reference is
>> http://www.alvestrand.no/objectid/1.3.6.1.5.5.7.3.html
>>
>> -Kyle H
>>
>> On Tue, Aug 26, 2008 at 1:17 PM, Chris Zimmerman
>> wrote:
>>> Thanks to all of you in your assistance. With the recommended changes
>>> to the openssl.cnf file, I have successfully signed the CSR from the
>>> Watchguard box and imported it as a web cert (the Type that the
>>> Watchguard box sees). However, in order to use it for VPN tunnels,
>>> the device needs it to be a type IPSec. What is the extended key
>>> usage setting for that?
>>>
>>> On Tue, Aug 26, 2008 at 10:41 AM, Kyle Hamilton wrote:
>>>> [usr_cert] is the appropriate section.
>>>>
>>>> This is above the [v3_req] section, at least in the vanilla 0.9.8h sources.
>>>>
>>>> -Kyle H
>>>>
>>>> On Tue, Aug 26, 2008 at 10:33 AM, Chris Zimmerman
>>>> wrote:
>>>>> What is the appropriate section?
>>>>>
>>>>> Sorry if this is a basic question, but I am working on improving my knowledge.
>>>>>
>>>>> On Tue, Aug 26, 2008 at 10:24 AM, Patrick Patterson
>>>>> wrote:
>>>>>> Chris:
>>>>>>
>>>>>> On Tuesday 26 August 2008 12:58:22 Kyle Hamilton wrote:
>>>>>>> There is no ExtendedKeyUsage extension.
>>>>>>>
>>>>>>> To fix this, in your openssl.cnf file in section [usr_cert] there is a
>>>>>>> commented-out line that needs to be uncommented.
>>>>>>> # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
>>>>>>>
>>>>>>> Then generate a new certificate.
>>>>>>>
>>>>>> Actually - that will only set the keyUsage extension (Which you will need) -
>>>>>> what you also want to set is to add a line to the appropriate section in the
>>>>>> openssl.cnf file that you are using to generate the certificate below that
>>>>>> that has:
>>>>>>
>>>>>> extendedKeyUsage = serverAuth,clientAuth
>>>>>>
>>>>>> And then regen the certificate.
>>>>>>
>>>>>> Have fun.
>>>>>>
>>>>>> Patrick.
>>>>>>
>>>>>>> -Kyle H
>>>>>>>
>>>>>>>
>>>>>>> On Tue, Aug 26, 2008 at 9:20 AM, Chris Zimmerman
>>>>>>>
>>>>>>> wrote:
>>>>>>> > Here's the cert for the Watchguard:
>>>>>>> >
>>>>>>> > Certificate:
>>>>>>> > Data:
>>>>>>> > Version: 3 (0x2)
>>>>>>> > Serial Number: 15 (0xf)
>>>>>>> > Signature Algorithm: sha1WithRSAEncryption
>>>>>>> > Issuer: C=US, ST=TX, L=Somewhere, O=Company, OU=System,
>>>>>>> > CN=Company Root CA/emailAddress=ca@company.com
>>>>>>> > Validity
>>>>>>> > Not Before: Aug 26 16:16:57 2008 GMT
>>>>>>> > Not After : Aug 24 16:16:57 2018 GMT
>>>>>>> > Subject: C=US, ST=TX, O=Company, OU=System, CN=WG
>>>>>>> > Subject Public Key Info:
>>>>>>> > Public Key Algorithm: rsaEncryption
>>>>>>> > RSA Public Key: (1024 bit)
>>>>>>> > Modulus (1024 bit):
>>>>>>> > 00:c2:83:76:81:24:5c:48:09:71:66:bb:22:37:05:
>>>>>>> > f3:8b:0b:f6:df:24:a0:ec:d8:65:ac:d5:77:7f:e0:
>>>>>>> > 91:f1:86:a4:00:23:17:c2:28:1f:81:e0:6d:e8:24:
>>>>>>> > e7:0a:bb:7e:a5:72:57:6d:65:cb:ec:7c:f1:d0:64:
>>>>>>> > 63:9f:0d:0c:b3:4c:c6:e4:3f:7c:f9:1f:53:6b:c0:
>>>>>>> > 47:3a:59:4d:87:37:e5:f6:4f:ef:75:20:5b:93:0b:
>>>>>>> > f9:8b:d7:4b:b7:4c:0c:e2:8c:2e:34:ad:23:3e:c6:
>>>>>>> > 89:1e:6f:3b:0d:52:25:69:d2:42:d3:de:cd:cd:e3:
>>>>>>> > ef:80:8a:e0:2d:1c:20:8f:6b
>>>>>>> > Exponent: 65537 (0x10001)
>>>>>>> > X509v3 extensions:
>>>>>>> > X509v3 Basic Constraints:
>>>>>>> > CA:FALSE
>>>>>>> > Netscape Comment:
>>>>>>> > OpenSSL Generated Certificate
>>>>>>> > X509v3 Subject Key Identifier:
>>>>>>> >
>>>>>>> > 3E:BB:9E:11:45:7B:F7:5E:BD:1D:F9:CE:A1:A9:E17:7C :71:A5:FF X509v3
>>>>>>> > Authority Key Identifier:
>>>>>>> >
>>>>>>> > keyidB:E2:B6:28:36:12:83:63:B2:FA:87:E1:64:FB:44 :F7:58:A0:8A:E8
>>>>>>> >
>>>>>>> > Signature Algorithm: sha1WithRSAEncryption
>>>>>>> > 7b:b7:d0:ca:42:96:24:6a:26:e1:a4:e1:45:91:d1:28:14 :97:
>>>>>>> > e2:ea:dc:d6:59:97:73:ef:1a:5a:54:a4:33:fe:c2:0c:74 :ca:
>>>>>>> > 6b:e4:85:4c:a0:9d:49:7a:1a:b0:fd:48:5c:6a:bc:de:44 :53:
>>>>>>> > 73:23:bc:0f:ab:b6:cb:49:5a:53:2c:5c:d5:24:23:3b:e6 :da:
>>>>>>> > 16:22:d4:db:1c:82:ac:7a:37:01:0f:a5:4e:24:92:2b:bc :2e:
>>>>>>> > 33:01:4d:5e:c3:7f:91:0f:3d:1d:ea:b8:8d:ad:38:ed:ab :44:
>>>>>>> > b7:2d:82:7b:c3:0d:2a:a2:21:8a:58:25:ac:c4:cb:f0:57 :4e:
>>>>>>> > ed:ec
>>>>>>> >
>>>>>>> > On Tue, Aug 26, 2008 at 9:14 AM, Kyle Hamilton wrote:
>>>>>>> >> openssl x509 -in [filename] -noout -text -inform PEM
>>>>>>> >>
>>>>>>> >> -Kyle H
>>>>>>> >>
>>>>>>> >> On Tue, Aug 26, 2008 at 8:44 AM, Chris Zimmerman
>>>>>>> >>
>>>>>>> >> wrote:
>>>>>>> >>> That command seems to have a syntax problem, showing: "unknown option
>>>>>>> >>> [cert.pem-inserted my cert here]"
>>>>>>> >>>
>>>>>>> >>> On Mon, Aug 25, 2008 at 10:55 PM, Tim Hudson wrote:
>>>>>>> >>>> Chris Zimmerman wrote:
>>>>>>> >>>>> I am working to setup a Watchguard firewall with x509 certs for VPN
>>>>>>> >>>>> tunnels. I have created my own CA on my laptop and I have created a
>>>>>>> >>>>> CSR on the Watchguard product. I have then signed the CSR with my CA
>>>>>>> >>>>> certificate successfully which then imports into the Watchguard.
>>>>>>> >>>>> Here's the problem: Watchguard requires that the cert be typed as
>>>>>>> >>>>> "Web" or "IPSec" if it is to be used for VPN tunnels. Everytime I
>>>>>>> >>>>> import my signed cert it shows up as a CA Cert type. I know this is
>>>>>>> >>>>> an interop question, but has any got an idea of what to try to get
>>>>>>> >>>>> this working? I've been at this for days now with no success.
>>>>>>> >>>>
>>>>>>> >>>> Look a the various settings for basic constraints, key usage and
>>>>>>> >>>> extended key usage as controlled in openssl.cnf ... basically you need
>>>>>>> >>>> to set them to match what Watchguard wants.
>>>>>>> >>>>
>>>>>>> >>>> Perhaps you have the v3_ca stuff set.
>>>>>>> >>>>
>>>>>>> >>>> The output of
>>>>>>> >>>> openssl x509 -text -noout cert.pem
>>>>>>> >>>> will let me see what you have set in the way of those extensions.
>>>>>>> >>>>
>>>>>>> >>>> If you have a working certificate and a non-working one then comparing
>>>>>>> >>>> the text output should help show what the requirements are.
>>>>>>> >>>>
>>>>>>> >>>> Tim.
>>>>>>> >>>
>>>>>>> >>> __________________________________________________ ____________________
>>>>>>> >>> OpenSSL Project http://www.openssl.org
>>>>>>> >>> User Support Mailing List openssl-users@openssl.org
>>>>>>> >>> Automated List Manager majordomo@openssl.org
>>>>>>> >>
>>>>>>> >> __________________________________________________ ____________________
>>>>>>> >> OpenSSL Project http://www.openssl.org
>>>>>>> >> User Support Mailing List openssl-users@openssl.org
>>>>>>> >> Automated List Manager majordomo@openssl.org
>>>>>>> >
>>>>>>> > __________________________________________________ ____________________
>>>>>>> > OpenSSL Project http://www.openssl.org
>>>>>>> > User Support Mailing List openssl-users@openssl.org
>>>>>>> > Automated List Manager majordomo@openssl.org
>>>>>>>
>>>>>>> __________________________________________________ ____________________
>>>>>>> OpenSSL Project http://www.openssl.org
>>>>>>> User Support Mailing List openssl-users@openssl.org
>>>>>>> Automated List Manager majordomo@openssl.org
>>>>>> __________________________________________________ ____________________
>>>>>> OpenSSL Project http://www.openssl.org
>>>>>> User Support Mailing List openssl-users@openssl.org
>>>>>> Automated List Manager majordomo@openssl.org
>>>>>>
>>>>> __________________________________________________ ____________________
>>>>> OpenSSL Project http://www.openssl.org
>>>>> User Support Mailing List openssl-users@openssl.org
>>>>> Automated List Manager majordomo@openssl.org
>>>>>
>>>> __________________________________________________ ____________________
>>>> OpenSSL Project http://www.openssl.org
>>>> User Support Mailing List openssl-users@openssl.org
>>>> Automated List Manager majordomo@openssl.org
>>>>
>>> __________________________________________________ ____________________
>>> OpenSSL Project http://www.openssl.org
>>> User Support Mailing List openssl-users@openssl.org
>>> Automated List Manager majordomo@openssl.org
>>>
>> __________________________________________________ ____________________
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing List openssl-users@openssl.org
>> Automated List Manager majordomo@openssl.org
>>
>
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org

Because your vendor doesn't follow the latest ipsec specification,
which states that only keyUsage nonRepudiation,digitalSignature should
be required, and no extendedKeyUsage should be required. However,
looking at http://www.oid-info.com/cgi-bin/disp....3.6.1.5.5.8.2
says that 1.3.6.1.5.5.8.2 is the ipsec OID tree, not pkix.

If you could get them to point you to what they're using as the
Reference Which States They Must Require That OID, I would very much
appreciate knowing. (It's worth noting that Microsoft's ipsec
implementation in Windows Server 2008 doesn't appear to require this.)

-Kyle H

On Mon, Sep 8, 2008 at 2:29 PM, Chris Zimmerman
wrote:
> Here's what I had to add to the config to get it to work (as listed by
> the vendor):
>
> [ new_oids ]
> pkixeku=1.3.6.1.5.5.8.2
> ikeIntermediate=${pkixeku}.2
>
> [ usr_cert ]
> keyUsage = nonRepudiation, digitalSignature, keyEncipherment
> extendedKeyUsage = serverAuth,clientAuth,ikeIntermediate
>
> Any thoughts on why this works?
>
>
>
> On Tue, Aug 26, 2008 at 2:50 PM, Chris Zimmerman
> wrote:
>> Well, those attributes will work (minus the IKE one-it was not
>> recognized) but the Watchguard does not assign it with a type of
>> IPSec, so I've contacted Watchguard support to request the expected
>> extended attributes for this. I will post a reply as soon as I know.
>>
>> On Tue, Aug 26, 2008 at 1:41 PM, Kyle Hamilton wrote:
>>> This is a bug, per RFC 4549. Please submit a report to your vendor.
>>> (The semantics of the OIDs were never well-defined, and they have been
>>> obsoleted -- according to RFC4549, having keyUsage=digitalSignature
>>> and no EKU should work for IPsec.)
>>>
>>> In the [new_oids] section, add new lines:
>>>
>>> pkixeku=1.3.6.1.5.5.7.3
>>> ipsecendsystem=${pkixeku}.5
>>> ipsectunnel=${pkixeku}.6
>>> ipsecuser=${pkixeku}.7
>>>
>>> and then in [usr_cert] change your extendedKeyUsage line to:
>>>
>>> extendedKeyUsage=serverAuth,clientAuth,ipsecIKE,ip secendsystem,ipsectunnel,ipsecuser
>>>
>>> This /should/ do it, but since I don't do anything with IPsec I can't
>>> test it. My reference is
>>> http://www.alvestrand.no/objectid/1.3.6.1.5.5.7.3.html
>>>
>>> -Kyle H
>>>
>>> On Tue, Aug 26, 2008 at 1:17 PM, Chris Zimmerman
>>> wrote:
>>>> Thanks to all of you in your assistance. With the recommended changes
>>>> to the openssl.cnf file, I have successfully signed the CSR from the
>>>> Watchguard box and imported it as a web cert (the Type that the
>>>> Watchguard box sees). However, in order to use it for VPN tunnels,
>>>> the device needs it to be a type IPSec. What is the extended key
>>>> usage setting for that?
>>>>
>>>> On Tue, Aug 26, 2008 at 10:41 AM, Kyle Hamilton wrote:
>>>>> [usr_cert] is the appropriate section.
>>>>>
>>>>> This is above the [v3_req] section, at least in the vanilla 0.9.8h sources.
>>>>>
>>>>> -Kyle H
>>>>>
>>>>> On Tue, Aug 26, 2008 at 10:33 AM, Chris Zimmerman
>>>>> wrote:
>>>>>> What is the appropriate section?
>>>>>>
>>>>>> Sorry if this is a basic question, but I am working on improving my knowledge.
>>>>>>
>>>>>> On Tue, Aug 26, 2008 at 10:24 AM, Patrick Patterson
>>>>>> wrote:
>>>>>>> Chris:
>>>>>>>
>>>>>>> On Tuesday 26 August 2008 12:58:22 Kyle Hamilton wrote:
>>>>>>>> There is no ExtendedKeyUsage extension.
>>>>>>>>
>>>>>>>> To fix this, in your openssl.cnf file in section [usr_cert] there is a
>>>>>>>> commented-out line that needs to be