Bug #10649
closedOpenVPN Cllient Export Wizard Using Wrong Root CA Certificate
0%
Description
This occurs using pfSense 2.4.5-RELEASE (arm) on an SG-3100. OpenVPN CE Wizard v1.4.23.
I had two Root CAs in pfSense's Certificate Manager. #1 is a chained, self-signed Root and Intermediate certificate pair (my Root CA plus a CA key signed with my Root CA). #2 is a pfSense-generated certificate. The computer I am using is Windows 10 64-bit. CA #1 (and the Root CA used to sign it) are both installed in Windows CertMgr under Trusted Root Certification Authorities.
When I set up OpenVPN, I used CA #2 to sign an pfSense-generated OpenVPN server certificate (CERT #1), while I spent time understanding how to use OpenSSL 1.1.1. It took me some time to adapt my scripts to put the needed attributes into the certificate from CA #1.
Yesterday I finished my research and imported the new certificate signed by CA #1 (along with its private key); note that the certificate contains the complete CA chain (root and intermediate) along with the server certificate. Let's call this CERT #2. After importing, I edited the Server config to switch to CA #1 as the Peer Certificate Authority, and the newly-signed certificate (by CA #1)
All the attributes were correct, but OpenVPN was giving me an error that the Root CA was unknown. I opened the OVPN bundle file with Notepad ++ (on Windows) and was able to determine that the Intermediate CA was from #2, but the exported Root CA was from #1.
I manually copied the correct encoded CERT data from Root CA #1's certificate file, pasted it into the OVPN file and re-exported that to iOS. Now everything works fine.
I have two different VPN ports opened on my router, and after the first one worked I reconfigured and exported the second. Same Root CA certificate problem; also fixed with manual copy and paste.
It seems that the OpenVPN Export package, for some reason, grabs the wrong Root CA on a chained CA set, at least when there is a pfSense self-signed CA plus another Root CA generated by OpenSSL outside of pfSense.
Note in my initial paragraph I said I had two root CAs installed in pfSense. I have since deleted CA #1 and its certificates, as I do not need them (and I am hopeful that whenever I re-export things, it will put the correct CA certs in place since there is only one saved in pfSense now).