Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unable to replace the certificate for mobile clients.

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 857 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JonnyDy
      last edited by

      Good day to all.

      When trying to change the certificate, an error appears:

      The following input errors were detected:

      The selected certificate must be a Server Certificate for Mobile IPsec mode.

      Does this mean that the certificate was generated incorrectly?

      But, the fact is that it was created according to the same template as the one that is currently working.

      Signature Digest: RSA-SHA256
      SAN: IP Address:192.168.1.1
      KU: Digital Signature, Key Encipherment
      EKU: IP Security IKE Intermediate
      Key Type: RSA
      Key Size: 4096
      DN: /CN=192.168.1.1

      It turns out that the certificates are identical, but it is impossible to replace one with another.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Normally a "server" certificate like that should also include the EKU values for TLS Web Server Auth and client auth along with the IKE OID you have. If you make a server certificate using the pfSense certificate manager it should come out that way.

        Some clients don't even check the IKE OID anymore.

        The IPsec page probably started doing input validation to prevent using a certificate that some clients would reject.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        J 1 Reply Last reply Reply Quote 1
        • J
          JonnyDy @jimp
          last edited by

          @jimp Thanks to! Changed to TLS Web Server certificate, error disappeared.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.