Bug #2800

OpenVPN doesn't work properly with intermediate/chained CAs

Added by Malte Stretz about 4 years ago. Updated about 1 month ago.

Target version:
Start date:
Due date:
% Done:


Affected version:
Affected Architecture:


There are two places where working with chained certificates is broken or at least weird. Background: OpenVPN always needs the whole CA chain in the --ca setting. It will also verify the client cert against the whole chain but that's not a pfSense problem.

So I've got this config: Created a Root CA with the pfSense Cert Manager. Created a VPN Intermediate CA with the Cert Manager. Created the OpenVPN server Cert within that CA and also the client certs.

In The OpenVPN settings I selected the Intermediate CA as the Peer Certificate Authority etc. I exported the client config with the OpenVPN Client Export Utility.

First issue: The OpenVPN Client Export Utility doesn't include the Root CA in the exported config thus the client will fail to connect. (Since I don't know if that package is an official pfSense package, this might be the wrong place to report this but this should be rather easy to fix.) It will fail with

VERIFY ERROR: depth=1, error=unable to get local issuer certificate: /C=DE/ST=HH/L=HH/O=Example_GmbH/emailAddress=/CN=Example_VPN_CA__pfSense_

Second (more important) issue: Once the previous one is fixed manually, the server will also fail to verify the client cert with

VERIFY ERROR: depth=2, error=self signed certificate in certificate chain: /C=DE/ST=HH/L=HH/O=Example_GmbH/emailAddress=/CN=Example_Root_CA__pfSense_

If I set the Peer Certificate Authority to the Root CA, it looks like ti works (I have LDAP auth issues now but that's more than before).

This behaviour is at least weird/unintuitive and hard to debug. pfSense should either generate a proper chained cert if you select an Intermediate CA (preferred) or keep me from selecting one.

This is pfSense 2.0.2.


#1 Updated by Tim Lau about 3 years ago

I am hit with the same bug.

Also, if you set the Peer Certificate Authority to the Root CA, 2 things happen:

Certificate Depth in the Server tab needs to be adjusted.

OpenVPN Client Export Utility stops working (Client Install Packages list becomes blank).

A potential workaround is to do the same for pfSense's OpenVPN server CA config as the solution to the first issue-
Append all the CA certificates in the chain to /var/etc/openvpn/server{x}.ca (root FS rw?)

Can anyone tell me the problem with this approach? (other than I shouldn't mess around with the FS directly).

#2 Updated by Tim Lau about 3 years ago

After I posted the above, I have a new idea.

I just copied the Root CA certificate to the Intermediate CA's certificate in System: Certificate Authority Manager.

#3 Updated by Malte Stretz about 3 years ago

You mean you essentially created a cert chain yourself in the Certificate Authority Manager and then it worked?

#4 Updated by Oliver Welter over 2 years ago

Ran into the same issue today with version 2.1.4.
The hack to copy the full chain into the certmanager solves the problem but imho the correct behaviour should be to resolve the required certificates using the cert-manager and use the "extra-certs" option to provide the chain certificates.

#5 Updated by Bernd Zeimetz about 2 years ago

Same broken behaviour in 2.2.

Adding the Root CA certificate to the Intermediate CA's certificate in System: Certificate Authority Manager still works as workaround.

#6 Updated by Taras Yermolenko about 1 year ago

Hey guys,
Still having this issue on 2.2.6
Workaround is working

#7 Updated by Chris Buechler 9 months ago

  • Status changed from New to Feedback
  • Target version set to 2.4.0
  • Affected version changed from 2.0.x to All

Merged PR 2966 for 2.4 to address this.

If OpenVPN Client Export needs to be addressed still, that should have its own ticket under packages.

#8 Updated by Jim Thompson 5 months ago

  • Assignee set to Jim Pingle

#9 Updated by Jim Pingle 5 months ago

  • Status changed from Feedback to Resolved

This works fine in the base system and in the export package. I can make a CA, then make an intermediate CA, then make a server based on the intermediate, and a user based on the intermediate. Select the server cert and the server config has the full chain. Export the user cert and it has the full chain. Set the depth to 2 and the user connects fine. Looks good to me, closing the ticket.

#10 Updated by Jim Pingle about 1 month ago

  • Target version changed from 2.4.0 to 2.3.3

Also available in: Atom PDF