IKEv2 CertificateType clarification

Business & Education Device Management
Skmi7 OP
Created Mar ’21
Replies 2
Boosts 0
Views 512
Participants 2
In the IKEv2 VPN profile, what value should we pass for the CertificateType key? It is not clear from https://developer.apple.com/documentation/devicemanagement/vpn/ikev2

Is it the encryption algorithm of the keys? or signature algorithm?

For example, see below certificate payload.
Code Block keytool -printcert -file test.cer
Owner: CN=abcd
Issuer: CN=xyz
Serial number: 68
Valid from: Thu Mar 25 15:39:45 2021 until: Sat Mar 26 15:39:45 2022
Certificate fingerprints:
	 MD5: ....
	 SHA1: ....
	 SHA256: .....
Signature algorithm name: SHA384withECDSA
Subject Public Key Algorithm: 521-bit EC key

Taken from the above payload, which among the below 2 algorithms should be used as a reference to pass the value in CertificateType payload?

  • Signature algorithm name: SHA384withECDSA

  • Subject Public Key Algorithm: 521-bit EC key


Thanks
Replies  2
Boosts  0
Views  512
Participants  2
Device Management Engineer OP
Apple
Mar ’21
Accepted Answer
The signature algorithm indicates the hashing algorithm used when the certificate was signed.
The subject public key algorithm indicates the key pair the cert represents, and this is the one that's used for cryptographic operations based on the certificate.
CertificateType indicates the algorithm used for IKEv2 machine authentication, so it refers to the cryptographic algorithm when using the certificate's key pair for authentication. That means you should set the CertificateType based on "521-bit EC key". You should set this field to ECDSA521. (Note that there's a bug in the documentation that refers to this as ECDSA512, but the correct value is ECDSA521.)
1
Skmi7 OP
Mar ’21
Thank you very much. It is a bonus to know about the documentation bug, really appreciate that.
0
IKEv2 CertificateType clarification
First post date Last post date
 
 
Q