Create a Rockhopper's certificate compatible with a Windows 7/8/10 VPN client by XCA.

A Windows 7/8/10 VPN(IKEv2) client requires and evaluates some additional properties in a received remote peer's certificate(X.509).

When you connect a Windows 7/8/10 client with Rockhopper, you need to create a Rockhopper's certificate fulfilling the requirements. This page shows an easy way by using XCA on Ubuntu.

Rockhopper doesn't evaluate these additional properties when connecting itself with a Windows 7/8/10 client. Therefore, you can normally create a Windows 7/8/10 client certificate without the properties if you also choose RSA-Signature (certificate) for it (This means both nodes use RSA-Signature (certificate) as an authentication method). To create a CA certificate and/or a normal certificate by XCA, please read "Documents/Tips: Managing certificates by XCA."

This web site provides detailed information related to the topic. When you manage certificates for Windows 7/8/10 VPN(IKEv2) clients by OpenSSL tools, this site is also very helpful to you.
Also, this technical information by Microsoft is useful.


- Create and export a new certificate for Rockhopper(

Click an image to zoom in.

Create the certificate by using a HTTPS_Server template.

On the Subject tab, enter gateway1's FQDN( as commonName.

If you don't want to specify it as FQDN, you need to add the FQDN as subject alternative name (subjectAltName(SAN)) on the Extensions tab like the following images.


Specify Digital Signature and Key Encipherment in the Key usage pane on the Key Usage tab.

In addition, you need to specify the following additional properties in the Extended key usage pane on the Key Usage tab.

Finally, export the gateway1's certificate as a PKCS#12 file.


Back to Top