Add the extendedKeyUsage flags serverAuth and clientAuth. Newer Windows

version require these flags to accept the X.509 certificates from the
gateway or client;  I just add both flags to make it work in both cases
and verified it with win7, for example when authenticating against iked.

go ahead beck@

1 files changed, 3 insertions, 0 deletions

diff --git a/src/lib/libssl/x509v3.cnf b/src/lib/libssl/x509v3.cnf
index 5835534b96..8c6b775da1 100644
--- a/src/lib/libssl/x509v3.cnf
+++ b/src/lib/libssl/x509v3.cnf
@@ -1,6 +1,7 @@
 # default settings
 CERTPATHLEN             = 1
 CERTUSAGE               = digitalSignature,keyCertSign,cRLSign
+EXTCERTUSAGE            = serverAuth,clientAuth
 CERTIP                  = 0.0.0.0
 CERTFQDN                = nohost.nodomain
 
@@ -18,9 +19,11 @@ keyUsage=$ENV::CERTUSAGE
 # The address must be provided in the CERTIP environment variable
 [x509v3_IPAddr]
 subjectAltName=IP:$ENV::CERTIP
+extendedKeyUsage=$ENV::EXTCERTUSAGE
 
 # This section should be referenced to add a FQDN hostname
 # as an alternate subject name, needed by isakmpd
 # The address must be provided in the CERTFQDN environment variable
 [x509v3_FQDN]
 subjectAltName=DNS:$ENV::CERTFQDN
+extendedKeyUsage=$ENV::EXTCERTUSAGE