Correction #15696
closed
IKEv2 ACME certificate usage
100%
Description
https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-mobile-ikev2-eap-mschapv2.html#ipsec-ikev2-p1 states:
A certificate created by the ACME package (ACME package) will be natively trusted by many clients and can be used in place of a manually created private CA and server certificate.
This does not work for Windows (at least for Windows 10 version 10.0.19045.4780). I believe it's b/c the LetsEncrypt certificate misses a certain key usage. Compare:
EKU: TLS Web Server Authentication, TLS Web Client Authentication, IP Security IKE Intermediate (internal certificate)
EKU: TLS Web Server Authentication, TLS Web Client Authentication (LE certificate obtained by ACME package)
Updated by Jim Pingle 3 months ago
- Assignee set to Jim Pingle
That is a known limitation it's just not called out in that spot. It says "many" though, not "all".
At one point I though we had tested it and it worked on Windows 11, though it doesn't seem to work at the moment. Also users can change a registry setting in Windows 10/11 to ignore that IKE EKU check if they want.
Might be worth a mention/xref at least, though.
Updated by Alex Kolesnik 3 months ago
Jim, it would be really nice to mention that in the docs, thanks!
Also, could you please share that registry setting to ignore that IKE EKU check?
Updated by Jim Pingle 3 months ago
Alex Kolesnik wrote in #note-2:
Also, could you please share that registry setting to ignore that IKE EKU check?
The EKU check is covered in the documentation under configuring Windows clients for IKEv2:
Updated by Jim Pingle 3 months ago
- Status changed from New to Closed
- % Done changed from 0 to 100
Updated and deployed, will be visible once the build finishes in a few minutes.
https://gitlab.netgate.com/docs/pfSense-docs/-/commit/43d6d44f23bd39dceb65272be30936e5b0cb4ce6