Create a Rockhopper's certificate compatible with a Windows 7/8/10 VPN client by XCA.


A Windows 7/8/10 VPN(IKEv2) client requires and evaluates some additional properties in a received remote peer's certificate(X.509).

When you connect a Windows 7/8/10 client with Rockhopper, you need to create a Rockhopper's certificate fulfilling the requirements. This page shows an easy way by using XCA on Ubuntu.

Rockhopper doesn't evaluate these additional properties when connecting itself with a Windows 7/8/10 client. Therefore, you can normally create a Windows 7/8/10 client certificate without the properties if you also choose RSA-Signature (certificate) for it (This means both nodes use RSA-Signature (certificate) as an authentication method). To create a CA certificate and/or a normal certificate by XCA, please read "Documents/Tips: Managing certificates by XCA."

This web site provides detailed information related to the topic. When you manage certificates for Windows 7/8/10 VPN(IKEv2) clients by OpenSSL tools, this site is also very helpful to you.
Also, this technical information by Microsoft is useful.

testca0


- Create and export a new certificate for Rockhopper(gateway1.example.com(FQDN)):


Click an image to zoom in.

testca6
Create the certificate by using a HTTPS_Server template.

testca6
On the Subject tab, enter gateway1's FQDN(gateway1.example.com) as commonName.

If you don't want to specify it as FQDN, you need to add the FQDN as subject alternative name (subjectAltName(SAN)) on the Extensions tab like the following images.
testca7

testca8



testca9
Specify Digital Signature and Key Encipherment in the Key usage pane on the Key Usage tab.

testca10
In addition, you need to specify the following additional properties in the Extended key usage pane on the Key Usage tab.



Finally, export the gateway1's certificate as a PKCS#12 file.

testca10

testca10
Back to Top