[Swan] Certificate/ID validation requirements

Nels Lindquist nlindq at maei.ca
Sat Sep 2 01:33:56 EEST 2023 

On 2023-09-01 3:40 PM, Paul Wouters wrote:

> On Sep 1, 2023, at 14:53, Nels Lindquist <nlindq at maei.ca> wrote:
>>
>> I noted in a previous email thread that newer versions do more stringent certificate validating; the endpoint which is failing is version 4.7. Clients are Windows, btw.
> 
> Windows checks its own certificate chain validity and if not valid won’t use the certificate. Apple products just use their end certificate and as long as they can validate the server cert, they don’t care about the client cert not having a valid path.

Yes; I confirmed that an otherwise valid certificate with an expired CA 
in the Trusted Root won't even be presented by Windows.

>> Is what I'm trying to do even possible with later versions? What attributes of the CA certificate are being used to validate the chain?
> 
> Not with windows, they need a new valid PKCS12 certificate bundle.

I thought that too, but it turns out not to be the case!

I was able to "heal" the chain for Windows by importing a new CA 
certificate PEM file (requested and signed from the same private key, 
with the identical Subject) into the "Trusted Root Certification 
Authorities" section of the Computer certificate store. The client 
certificate (in the Personal section) then changed from invalid to 
valid, and the certification path now shows the "new" version of the CA 
cert as the signer. I didn't even need to delete the expired CA cert for 
this to work.

As can be demonstrated in the libreswan logs, Windows will then happily 
present the client certificate when negotiating a connection.

On the libreswan side, deleting the expired CA and importing the new one 
(leaving the still valid leftcert untouched) into the NSS db allows the 
connection to be established--on the older version (3.32) in my test 
environment, at least.

I need to try using my "test cert" bundle on a newer version to 
determine whether my failed attempt to make this work in the production 
environment was due to more stringent checking in a newer version of 
libreswan, or some subtle difference in the way the reissued production 
CA was generated, or something else. I was assuming a version 
difference, but in retrospect I need to prove that's actually the case.

As the production CA hasn't actually expired yet, this can wait until 
after the weekend.

> Note for the server you can use a LetsEncrypt certificate and it will validate for the clients. You don’t have to have to same CA for both ends.

Good to know!

-- 
Nels Lindquist
nlindq at maei.ca

More information about the Swan mailing list