IPsec Certificate Background

Certificates have many fields but when it comes to VPNs using IPsec IKEv2 (Internet Key Exchange v2) there are three that are important to us.

  • Key Usage
  • Extended Key Usage
  • Subject Alternate Name

These are usually abbreviated KU, EKU and SAN. The IETF publishes guidelines1 on how they should be used in this context, but vendor implementation2 has specific requirements you must accept and a certificate that you’d use on a web server may not work on a VPN.

Specific Attributes

For a web server KU is all that is needed. As long as that field has the values of digitalSignature and keyEncipherment3 your web client will interact with it.

An IPSec VPN server however, requires the additional fields of EKU and SAN. Specifically, the EKU must contain the value serverAuth and the SAN must contain the DNS name of the server4. For compatibility with older Macs, you should also add the EKU value “IP Security IKE Intermediate5” even though it’s currently deprecated6.

A RADIUS server also requires EKU and SAN values. You may have multuple RADIUS servers in play, e.g. rad1.gattis.org,rad2.gattis.org, and all must be added. Interestingly, KU values are optional.

Creating One

If you were generating them via openssl and a conf file per the MS reqs, it would look like this7

openssl genrsa -out ./ucm.key 2048
openssl req -new -key ucm.key -config ucm.conf -verbose -out ucm.csr

# Here's the contents of the file
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
commonName = Secure Communications Server
countryName            = US
stateOrProvinceName    = State
localityName           = Town
organizationName       = Company
organizationalUnitName = Department
emailAddress           = [email protected]

[v3_req]
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth    
subjectAltName = @alt_names

[alt_names]
DNS.1   = rad1.gattis.org
DNS.2   = rad2.gattis.org
DNS.3   = vpn.gattis.org

Getting It Signed

The CA that signs it will by default remove the all the things except the distinguished name. If you’re signing it yourself you must create a file similar to above.

vi radius.ext

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1   = rad1.gattis.org                                                                                             
DNS.2   = rad2.gattis.org                                                                                             
DNS.3   = vpn.gattis.org 

openssl x509 -req -in radius.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out radius.crt -days 1825 -sha256 -extfile radius.ext

# View the results. If you don't see the "X509v3 extensions" for SAN and such, check the ext file you used.

openssl x509 -in radius.crt -text -noout

When you get a signed cert back from the provider, it should look something like this. Specifically you should see the line X509v3 Extended Key Usage: as below. Otherwise it won’t work.

Importat - if you get it back in windows format, it won’t show you the EKUs. You must convert from pkcs7 to x509

# Convert if needed
openssl pkcs7 -print_certs -in 366713309.cer -out certificate.pem

# Otherwise, check the extentions
openssl x509 -in certificate.pem  -text -noout
...
...
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
...
...

Unified Communication For Free

You’ll notice that since this cert has everything that web servers, VPNs and RADIUS servers need, you can use it in all three locations. Indeed, these certs are sometimes sold as a “Unified Communications Certificate” for significantly more than a normal web server cert.

Interestingly, Let’s Encrypt (the free service) seems to offer certs that have almost exactly this. The only caveat is that all the SAN values must resolve to the verifying server and you may not support older macs.

  1. https://tools.ietf.org/html/rfc4945 ↩︎

  2. https://support.microsoft.com/en-us/help/814394/certificate-requirements-when-you-use-eap-tls-or-peap-with-eap-tls ↩︎

  3. https://security.stackexchange.com/questions/24106/which-key-usages-are-required-by-each-key-exchange-method/24107#24107 ↩︎

  4. https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2 ↩︎

  5. https://wiki.strongswan.org/projects/strongswan/wiki/Win7CertReq ↩︎

  6. https://security.stackexchange.com/questions/34603/how-do-i-make-or-get-computer-certificates-to-use-with-ipsec-user-authentication ↩︎

  7. https://stackoverflow.com/questions/33781051/openssl-csr-using-multiple-san-and-extended-key-usage ↩︎


Last modified August 5, 2025: error explanation (a1b54cd)