Add IPsec IKE Intermediate EKU to server certificates. The serverAuth EKU already added suffices for Windows clients, though strongswan docs suggest setting this as well.

author: Chris Buechler <cmb@pfsense.org> 2015-07-20 23:46:07 -0500
committer: Chris Buechler <cmb@pfsense.org> 2015-07-20 23:50:47 -0500
commit: 66ed8787c4e2706be8631b1c7b416a636808efd7 (patch)
tree: 0623190da1e0a7b5f0478fae4cab51c2e1f7762a /etc/ssl
parent: ed2265217acc84b6c83e307de01d25d0688cb603 (diff)
download: pfsense-66ed8787c4e2706be8631b1c7b416a636808efd7.zip
pfsense-66ed8787c4e2706be8631b1c7b416a636808efd7.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/etc/ssl/openssl.cnf b/etc/ssl/openssl.cnf
index 75668f7..41664e6 100644
--- a/etc/ssl/openssl.cnf
+++ b/etc/ssl/openssl.cnf
@@ -235,7 +235,7 @@ nsCertType			= server
 nsComment			= "OpenSSL Generated Server Certificate"
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer:always
-extendedKeyUsage=serverAuth
+extendedKeyUsage=serverAuth,1.3.6.1.5.5.8.2.2
 keyUsage = digitalSignature, keyEncipherment
 
 [ server_san ]
@@ -246,7 +246,7 @@ nsCertType			= server
 nsComment			= "OpenSSL Generated Server Certificate"
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer:always
-extendedKeyUsage=serverAuth
+extendedKeyUsage=serverAuth,1.3.6.1.5.5.8.2.2
 keyUsage = digitalSignature, keyEncipherment
 subjectAltName=$ENV::SAN
author	Chris Buechler <cmb@pfsense.org>	2015-07-20 23:46:07 -0500
committer	Chris Buechler <cmb@pfsense.org>	2015-07-20 23:50:47 -0500
commit	66ed8787c4e2706be8631b1c7b416a636808efd7 (patch)
tree	0623190da1e0a7b5f0478fae4cab51c2e1f7762a /etc/ssl
parent	ed2265217acc84b6c83e307de01d25d0688cb603 (diff)
download	pfsense-66ed8787c4e2706be8631b1c7b416a636808efd7.zip pfsense-66ed8787c4e2706be8631b1c7b416a636808efd7.tar.gz