我现在很难为Windows 7创建一个CA证书来连接到strongSwan。
问题是,无论我尝试多少标志,Windows都不会使用它。我在受信任的根证书颁发机构组中有20个证书。这些都是默认的。当我安装我的时,总共有21个。在连接尝试中,Windows将尝试默认的20,甚至过时的,但不会尝试我的。
从StrongSwan wiki中,这是所需的日志输出:
May 12 05:49:56 koala charon: 13[ENC] unknown attribute type INTERNAL_IP4_SERVER
May 12 05:49:56 koala charon: 13[ENC] unknown attribute type INTERNAL_IP6_SERVER
May 12 05:49:56 koala charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CP SA TSi TSr ]
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid 0e:ac:82:60:40:56:27:97:e5:25:13:fc:2a:e1:0a:53:95:59:e4:a4
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid dd:bc:bd:86:9c:3f:07:ed:40:e3:1b:08:ef:ce:c4:d1:88:cd:3b:15
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid 4a:5c:75:22:aa:46:bf:a4:08:9d:39:97:4e:bd:b4:a3:60:f7:a0:1d
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid 01:f0:33:4c:1a:a1:d9:ee:5b:7b:a9:de:43:bc:02:7d:57:09:33:fb
May 12 05:49:56 koala charon: 13[IKE] received cert request for "C=CH, O=strongSwan Project, CN=strongSwan 2009 CA"
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid 34:4f:30:2d:25:69:31:91:ea:f7:73:5c:ab:f5:86:8d:37:82:40:ec
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid 3e:df:29:0c:c1:f5:cc:73:2c:eb:3d:24:e1:7e:52:da:bd:27:e2:f0
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid 59:79:12:de:61:75:d6:6f:c4:23:b7:77:13:74:c7:96:de:6f:88:72
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid 55:e4:81:d1:11:80:be:d8:89:b9:08:a3:31:f9:a1:24:09:16:b9:70
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid 5f:f3:24:6c:8f:91:24:af:9b:5f:3e:b0:34:6a:f4:2d:5c:a8:5d:cc
May 12 05:49:56 koala charon: 13[IKE] received cert request for unknown ca with keyid e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77
May 12 05:49:56 koala charon: 13[CFG] looking for peer configs matching 10.10.0.1[%any]...10.10.0.6[10.10.0.6]
我得到的是:
11[ENC] unknown attribute type INTERNAL_IP4_SERVER
11[ENC] unknown attribute type INTERNAL_IP6_SERVER
11[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
11[IKE] received cert request for unknown ca with keyid 0e:ac:82:60:40:56:27:97:e5:25:13:fc:2a:e1:0a:53:95:59:e4:a4
11[IKE] received cert request for unknown ca with keyid dd:bc:bd:86:9c:3f:07:ed:40:e3:1b:08:ef:ce:c4:d1:88:cd:3b:15
11[IKE] received cert request for unknown ca with keyid 4a:5c:75:22:aa:46:bf:a4:08:9d:39:97:4e:bd:b4:a3:60:f7:a0:1d
11[IKE] received cert request for unknown ca with keyid 01:f0:33:4c:1a:a1:d9:ee:5b:7b:a9:de:43:bc:02:7d:57:09:33:fb
11[IKE] received cert request for unknown ca with keyid 34:4f:30:2d:25:69:31:91:ea:f7:73:5c:ab:f5:86:8d:37:82:40:ec
11[IKE] received cert request for unknown ca with keyid 3e:df:29:0c:c1:f5:cc:73:2c:eb:3d:24:e1:7e:52:da:bd:27:e2:f0
11[IKE] received cert request for unknown ca with keyid da:ed:64:74:14:9c:14:3c:ab:dd:99:a9:bd:5b:28:4d:8b:3c:c9:d8
11[IKE] received cert request for unknown ca with keyid 5f:f3:24:6c:8f:91:24:af:9b:5f:3e:b0:34:6a:f4:2d:5c:a8:5d:cc
11[IKE] received cert request for unknown ca with keyid 48:e6:68:f9:2b:d2:b2:95:d7:47:d8:23:20:10:4f:33:98:90:9f:d4
11[IKE] received cert request for unknown ca with keyid 87:db:d4:5f:b0:92:8d:4e:1d:f8:15:67:e7:f2:ab:af:d6:2b:67:75
11[IKE] received cert request for unknown ca with keyid f0:17:62:13:55:3d:b3:ff:0a:00:6b:fb:50:84:97:f3:ed:62:d0:1a
11[IKE] received cert request for unknown ca with keyid 1a:21:b4:95:2b:62:93:ce:18:b3:65:ec:9c:0e:93:4c:b3:81:e6:d4
11[IKE] received cert request for unknown ca with keyid 59:79:12:de:61:75:d6:6f:c4:23:b7:77:13:74:c7:96:de:6f:88:72
11[IKE] received cert request for unknown ca with keyid 1a:21:b4:95:2b:62:93:ce:18:b3:65:ec:9c:0e:93:4c:b3:81:e6:d4
11[IKE] received cert request for unknown ca with keyid e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77
11[IKE] received cert request for unknown ca with keyid 5f:f3:24:6c:8f:91:24:af:9b:5f:3e:b0:34:6a:f4:2d:5c:a8:5d:cc
11[IKE] received cert request for unknown ca with keyid e2:7f:7b:d8:77:d5:df:9e:0a:3f:9e:b4:cb:0e:2e:a9:ef:db:69:77
11[IKE] received cert request for unknown ca with keyid b1:81:08:1a:19:a4:c0:94:1f:fa:e8:95:28:c1:24:c9:9b:34:ac:c7
11[IKE] received cert request for unknown ca with keyid ee:e5:9f:1e:2a:a5:44:c3:cb:25:43:a6:9a:5b:d4:6a:25:bc:bb:8e
11[IKE] received cert request for unknown ca with keyid 4f:9c:7d:21:79:9c:ad:0e:d8:b9:0c:57:9f:1a:02:99:e7:90:f3:87
11[CFG] looking for peer configs matching 192.168.0.204[%any]...192.168.0.201[192.168.0.201]
我的将是cc a6 77 ce 07 ca 9c e5 e1 79 c1 2f 52 0d 60 41 c0 fc 2c 02,但它没有被尝试。
我添加了包括在其他证书中的所有额外信息(以及更多):
[ all_opts ]
keyUsage = digitalSignature, keyEncipherment, nonRepudiation, dataEncipherment, keyAgreement, keyCertSign, cRLSign
extendedKeyUsage = 1.3.6.1.5.5.8.2.2,1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2, 1.3.6.1.5.5.7.3.3, 1.3.6.1.5.5.7.3.4, 1.3.
6.1.5.5.7.3.5, 1.3.6.1.5.5.7.3.6, 1.3.6.1.5.5.7.3.7, 1.3.6.1.5.5.7.3.8, 1.3.6.1.5.5.7.3.17
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
nsCertType=sslCA, emailCA, objCA
crlDistributionPoints=URI:http://myhost.com/myca.crl
但迄今为止没有成功。
这是众多失败的TEST证书之一的openssl x509 -text输出。我真的把它和一个有效的匹配起来,包括了每一个选项(即使是像CRL这样看似不重要的选项),但到目前为止还没有成功。
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ed:47:46:38:44:e7:ef:40
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AU, ST=Some-State, O=TEST, CN=TEST CA
Validity
Not Before: Jun 17 10:18:16 2011 GMT
Not After : Jun 16 10:18:16 2015 GMT
Subject: C=AU, ST=Some-State, O=TEST, CN=TEST CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:bf:85:90:c3:2c:30:da:8d:02:c0:6c:11:39:bc:
f4:d7:31:db:a2:bc:04:b6:c2:a4:92:ce:c1:4a:c7:
f9:43:57:6e:bc:c8:30:ee:17:45:46:57:95:37:bb:
7c:06:60:7b:20:a8:60:09:b8:1d:37:7f:26:dc:b2:
db:47:c4:91:91:8c:81:7a:b9:72:ec:0b:c6:90:50:
66:56:d1:05:a2:a0:99:66:ee:57:31:95:7c:04:a2:
4f:48:1f:89:c0:09:5b:cf:3f:09:4c:06:a8:36:99:
0e:c6:b1:27:d9:20:11:c5:fc:ec:cb:20:41:a7:8f:
d5:2a:58:2b:5c:36:f9:03:83
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign
X509v3 Extended Key Usage:
1.3.6.1.5.5.8.2.2, TLS Web Server Authentication, TLS Web Client Authentication, Code Signing, E-mail Protection, IPSec End System, IPSec Tunnel, IPSec User, Time Stamping, 1.3.6.1.5.5.7.3.17
X509v3 Subject Key Identifier:
CC:A6:77:CE:07:CA:9C:E5:E1:79:C1:2F:52:0D:60:41:C0:FC:2C:02
X509v3 Authority Key Identifier:
keyid:CC:A6:77:CE:07:CA:9C:E5:E1:79:C1:2F:52:0D:60:41:C0:FC:2C:02
Netscape Cert Type:
SSL CA, S/MIME CA, Object Signing CA
X509v3 CRL Distribution Points:
URI:http://myhost.com/myca.crl
Signature Algorithm: sha1WithRSAEncryption
69:11:dc:65:4d:f2:af:50:6f:58:56:67:97:fd:26:c4:a4:93:
0e:59:c3:bf:0f:ae:d5:58:9e:33:e3:21:11:7d:8a:fd:dd:10:
11:6e:b3:69:b8:39:28:d4:c9:a4:8f:01:94:d6:96:92:0a:bd:
0d:13:eb:29:5c:d0:7c:7c:12:09:f0:db:c0:fd:7a:4b:33:5d:
d6:68:36:51:a3:8b:b9:92:90:52:ea:7d:13:f6:4e:83:d3:60:
22:c1:c1:b0:9b:f2:72:2c:d1:f7:ae:3c:b0:7c:17:7b:66:a0:
ff:3a:50:ee:56:e4:bc:35:16:fb:65:41:78:1d:32:2d:7f:51:
2b:ce
-----BEGIN CERTIFICATE-----
. . .
我在Windows端得到的只是:
Error 13801: IKE authentication credentials are unacceptable.
尝试将它们添加到计算机的证书存储中,而不是用户的证书存储,然后它就会工作。