According to RFC 4945, section 5.1.3.2, a certificate for IKE must
either not contain the keyUsage extension, or, if it does, have at least
one of the digitalSignature or nonReputiation bits set.
X509_IKE_INTERMEDIATE = (1<<8),
/** cert has Microsoft Smartcard Logon usage */
X509_MS_SMARTCARD_LOGON = (1<<9),
+ /** cert either lacks keyUsage bits, or includes either digitalSignature
+ * or nonRepudiation as per RFC 4945, section 5.1.3.2. */
+ X509_IKE_COMPLIANT = (1<<10),
};
extern enum_name_t *x509_flag_names;