Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
ike v2 windows 2008 r2 certificate
17 views
Skip to first unread message
Matthew F. Hymowitz
Sep 20, 2011, 7:05:39 PM9/20/11
to
We are trying to set up of VPN tunnel using IKE v2 between a windows 2008 VPN server and a linux machine running strongswan. We are trying to do this using machine
certificates. We are using a Windows 2008 r2 private certificate authority. I am not sure how to generate the CSR in openssl for a machine certificate. In windows land we put information about the certificate into a .inf file
with following content:
[NewRequest]
Subject="CN=MACHINE.DOMAIN.COM"
Exportable=TRUE
KeyLength=2048
KeySpec=1
KeyUsage=0xF0
MachineKeySet=TRUE
RequestType=CMC
ProviderName="Microsoft RSA SChannel Cryptographic Provider"
ProviderType=12
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2
OID=1.3.6.1.5.5.8.2.2
[RequestAttributes]
SAN="dns:MACHINE.DOMAIN.COM"
Subject="CN=MACHINE.DOMAIN.COM"
Exportable=TRUE
KeyLength=2048
KeySpec=1
KeyUsage=0xF0
MachineKeySet=TRUE
RequestType=CMC
ProviderName="Microsoft RSA SChannel Cryptographic Provider"
ProviderType=12
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2
OID=1.3.6.1.5.5.8.2.2
[RequestAttributes]
SAN="dns:MACHINE.DOMAIN.COM"
Can I/How would I/ tell open SSL to generate an equivalent CSR. Any insight someong could provide would be much appreciated.
Thank you.
Manager
GMP Networks, LLC
Jakob Bohm
Sep 21, 2011, 9:29:32 AM9/21/11
to
I know the OpenSSL equivalent of most of these fields, and I have tried
to guess the last one, see below.
On 9/21/2011 1:05 AM, Matthew F. Hymowitz wrote:
> We are trying to set up of VPN tunnel using IKE v2 between a windows
> 2008 VPN server and a linux machine running strongswan. We are trying
> to do this using machine certificates. We are using a Windows 2008
> r2 private certificate authority. I am not sure how to generate the
> CSR in openssl for a machine certificate. In windows land we put
> information about the certificate into a .inf file with following
> content:
> [NewRequest]
> Subject="CN=MACHINE.DOMAIN.COM"
The CN specified in input to "openssl req"
> Exportable=TRUE
"openssl req" option "-keyout filename.key"
> KeyLength=2048
"openssl req" option "-newkey rsa:2048"
> KeySpec=1
Ignore (I think)
> KeyUsage=0xF0
OpenSSL Config file option
"keyusage=digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment"
(I am not entirely sure of this one, I guessed 0xF0 represented bits 0
to 7 of
this property, with the most significant bit being bit 0)
> MachineKeySet=TRUE
"openssl req" option "-keyout filename.key"
> RequestType=CMC
"openssl req"
> ProviderType=12
Ignore, just specifies the "engine" to use with Microsoft CryptoAPI
> [EnhancedKeyUsageExtension]
> OID=1.3.6.1.5.5.7.3.1
> OID=1.3.6.1.5.5.7.3.2
> OID=1.3.6.1.5.5.8.2.2
OpenSSL Config file option
"extendedKeyUsage=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.8.2.2"
> [RequestAttributes]
> SAN="dns:MACHINE.DOMAIN.COM"
OpenSSL Config file option "subjectAltName=dns:MACHINE.DOMAIN.COM"
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
to guess the last one, see below.
On 9/21/2011 1:05 AM, Matthew F. Hymowitz wrote:
> We are trying to set up of VPN tunnel using IKE v2 between a windows
> 2008 VPN server and a linux machine running strongswan. We are trying
> to do this using machine certificates. We are using a Windows 2008
> r2 private certificate authority. I am not sure how to generate the
> CSR in openssl for a machine certificate. In windows land we put
> information about the certificate into a .inf file with following
> content:
> [NewRequest]
> Subject="CN=MACHINE.DOMAIN.COM"
> Exportable=TRUE
"openssl req" option "-keyout filename.key"
> KeyLength=2048
"openssl req" option "-newkey rsa:2048"
> KeySpec=1
Ignore (I think)
> KeyUsage=0xF0
OpenSSL Config file option
"keyusage=digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment"
(I am not entirely sure of this one, I guessed 0xF0 represented bits 0
to 7 of
this property, with the most significant bit being bit 0)
> MachineKeySet=TRUE
"openssl req" option "-keyout filename.key"
> RequestType=CMC
"openssl req"
> ProviderName="Microsoft RSA SChannel Cryptographic Provider"
Ignore, just specifies the "engine" to use with Microsoft CryptoAPI
> ProviderType=12
Ignore, just specifies the "engine" to use with Microsoft CryptoAPI
> [EnhancedKeyUsageExtension]
> OID=1.3.6.1.5.5.7.3.1
> OID=1.3.6.1.5.5.7.3.2
> OID=1.3.6.1.5.5.8.2.2
OpenSSL Config file option
"extendedKeyUsage=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.8.2.2"
> [RequestAttributes]
> SAN="dns:MACHINE.DOMAIN.COM"
OpenSSL Config file option "subjectAltName=dns:MACHINE.DOMAIN.COM"
> This inf file is then used as input to the CSR.
> Can I/How would I/ tell open SSL to generate an equivalent CSR. Any
> insight someong could provide would be much appreciated.
>
______________________________________________________________________
> Can I/How would I/ tell open SSL to generate an equivalent CSR. Any
> insight someong could provide would be much appreciated.
>
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
0 new messages