The root CA has exaclty that setting using both, the windows and the OpenSSL CA, and is V3 also:
Basic Constraints: Subject Type=CA, Length Constraint=None
The difference I see is, that the OpenSSL Client cert also shows the Basic Constraints attribute:
Basic Constraints: _Subject Type=End Entity, Path Length Constraint=None_
whereas the Client cert issued by the Windows CA does not show this attribute at all, but still both being V3 client certs.
That is what I meant in the beginning :
If you have V1 client certificate, then you do not need the BasicConstraints-Setting (because with Version 1, this field was not specified). But with V3 client certificates, the BasicConstratints-Setting is a must-have.
So you need to set your Windows-CA-Server to set this field for the client certificates when you issue them.
I see - but do not find a way on how to get my Windows Server 2008 enterprise CA to include that BasicConstraints Extension into the client certificates. Any hints on this?
The Root CA itself has it set. Looks like by definition the field may be optional in the case of not being the CA:
from the man page http://man.he.net/man5/x509v3_config
"An end user certificate must either set CA to FALSE or exclude the extension entirely. Some software may require the inclusion of basicConstraints with CA set to FALSE for end entity certificates._"
So maybe the Juniper SSL is exactly such a device needing that extension also for the client certificates...
Unfortunately I have no experience with Win-CA-Server (we use Linux OpenSSL).
But as what I can read in the web, I think you should preset BasicConstraints for your client certificates in the
(Section "[basicconstraintsextension]" ?)
I found the problem. As I was using a template based on the "IPSec (offline request)", actually in the Extension I missed to add "Client Authentication" to the Application Policy (this is not included by default in that template). Once this was set, it started to work ;-)
The Client certs rolled out like that do not include the "Basic Constraint" at all, but the underlaying root CA cert does (as there it is required). So looks like for the user cert itself, the basic constraint extension is not required.
Thank you for the details; glad to hear it is working.
That's interesting. What "Key Usage" is listed in your Juniper Admin now (Configuration > Trusted Client CAs) ?
Our's is :
|Key Usage:||Certificate Sign, CRL Sign|
Maybe Juniper can tell us more about what is actually needed now for successful client certificate authorization ?
Because it's all like trial-and-error sience since they changed the behavior with the firmware upgrade.