How do I generate IPSEC Computer Certificates using a 3rd party CA
Hi, I'm interested in establishing an IPSEC connection between a Windows 2008 Server and a Unix/Linux Server, while using computer certificates for authentication/encryption. Can anyone provide definitive guidance as to what needs to be in the Certificate Signing Request if I intended to have the certificate signed by a third party (either a tool like OpenSSL or an established 3rd party CA). Lets just assume that the windows admins don't want to take on the Certificate Authority role right now, to the AD CA is not an option. I am aware that in either case I will need to add either my custom root CA cert or the 3rd party's intermediate cert to the certificate store of each machine, however what is not clear is what goes in the CSR. Extensive googling has led me to a few hints. Here is what I have found so far 1) The process for manually generating the CSR for a 3rd party CA with full control of the contents 2) A suggested list of fields required in the CSR for IPSEC 3) Confirmation that the FQDN of the computer must be present in either the Common Name or Subject Alternative Name field of the Certificate However given that information was found in bits and pieces around the internet, I would still like to confirm that the above statements are correct and hopefully get answers to the following: a) When using the Subject Alternative Name, can the Common Name be blank or must it contain a value? b) Can the Common Name be a wildcard value? e.g *.microsoft.com c) Must the IP address be specified in the SAN field as well? d) Has anybody actually used a 3rd party CA (Versign, Thawte, etc) to sign a cert for IPSEC? What about another non-MS CA provider or tool?
April 25th, 2011 3:49am

a) if you use Subject Alternative Name (SAN) extension, Subject field can be empty or non-empty. If empty, SAN extension MUST be marked as critical. If non-empty, SAN extension should not be marked as critical. However if SAN extension is present, Subject field is not used for authentication. b) no. Common name represents particular host. In order to use wildcards you need to use SAN extension. c) this depends. If your client connects to remote host via IP address — SAN (or Subject field if SAN is not used) MUST contain IP address of a remote host. If your client connects to remote host via name (FQDN or other name type), corresponding name MUST be set in the server's certificate SAN extension. In other words what your client type (in web browser or other applications is what should be asserted in the server's certificate SAN extension (or Subject field if SAN is not used).My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com
Free Windows Admin Tool Kit Click here and download it now
April 25th, 2011 4:20am

Hi Vadims, Thanks for the quick response. Based on what you have said above would the following config work for a computer whose hostname is qatest.contoso.com and ip is 10.10.0.5? I am deliberately using the wildcard value in the subject even though it will get overridden by the SAN in order to conform with the expectations of the 3rd party CA. Subject = "CN=*.internal.contoso.com" SAN = "dns=qatest.contoso.com&dns=qatest&ipaddress=10.10.0.5" I am also wondering how the verification of the Certificate Revocation List will be handled. According to this document "weak" CRL checking is the default for Server 2000/2003, so if the system is unable to access the list (proxy or network issue), verification still passes. Anybody know if the setting is the same for 2008 and what kind of timeout/wait period there is before attempts to access the CRL fail?
April 25th, 2011 4:02pm

by default IPsec tries to verify certificate revocation status, but it fails (when revocation status could not be dtermined), connection is allowed. In Windows Server 2008/2008 R2 you still need to configure registry to enforce strict revocation checking.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com
Free Windows Admin Tool Kit Click here and download it now
April 26th, 2011 2:04am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics