Unable to replace the certificate for mobile clients.

JonnyDy

Good day to all.

When trying to change the certificate, an error appears:

The following input errors were detected:

The selected certificate must be a Server Certificate for Mobile IPsec mode.

Does this mean that the certificate was generated incorrectly?

But, the fact is that it was created according to the same template as the one that is currently working.

Signature Digest: RSA-SHA256
SAN: IP Address:192.168.1.1
KU: Digital Signature, Key Encipherment
EKU: IP Security IKE Intermediate
Key Type: RSA
Key Size: 4096
DN: /CN=192.168.1.1

It turns out that the certificates are identical, but it is impossible to replace one with another.

jimp

Normally a "server" certificate like that should also include the EKU values for TLS Web Server Auth and client auth along with the IKE OID you have. If you make a server certificate using the pfSense certificate manager it should come out that way.

Some clients don't even check the IKE OID anymore.

The IPsec page probably started doing input validation to prevent using a certificate that some clients would reject.

JonnyDy

@jimp Thanks to! Changed to TLS Web Server certificate, error disappeared.