Project

General

Profile

Actions

Bug #10649

closed

OpenVPN Cllient Export Wizard Using Wrong Root CA Certificate

Added by Dennis Adler over 4 years ago. Updated over 4 years ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
OpenVPN Client Export
Target version:
-
Start date:
06/10/2020
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:
SG-3100

Description

This occurs using pfSense 2.4.5-RELEASE (arm) on an SG-3100. OpenVPN CE Wizard v1.4.23.

I had two Root CAs in pfSense's Certificate Manager. #1 is a chained, self-signed Root and Intermediate certificate pair (my Root CA plus a CA key signed with my Root CA). #2 is a pfSense-generated certificate. The computer I am using is Windows 10 64-bit. CA #1 (and the Root CA used to sign it) are both installed in Windows CertMgr under Trusted Root Certification Authorities.

When I set up OpenVPN, I used CA #2 to sign an pfSense-generated OpenVPN server certificate (CERT #1), while I spent time understanding how to use OpenSSL 1.1.1. It took me some time to adapt my scripts to put the needed attributes into the certificate from CA #1.

Yesterday I finished my research and imported the new certificate signed by CA #1 (along with its private key); note that the certificate contains the complete CA chain (root and intermediate) along with the server certificate. Let's call this CERT #2. After importing, I edited the Server config to switch to CA #1 as the Peer Certificate Authority, and the newly-signed certificate (by CA #1)

All the attributes were correct, but OpenVPN was giving me an error that the Root CA was unknown. I opened the OVPN bundle file with Notepad ++ (on Windows) and was able to determine that the Intermediate CA was from #2, but the exported Root CA was from #1.

I manually copied the correct encoded CERT data from Root CA #1's certificate file, pasted it into the OVPN file and re-exported that to iOS. Now everything works fine.

I have two different VPN ports opened on my router, and after the first one worked I reconfigured and exported the second. Same Root CA certificate problem; also fixed with manual copy and paste.

It seems that the OpenVPN Export package, for some reason, grabs the wrong Root CA on a chained CA set, at least when there is a pfSense self-signed CA plus another Root CA generated by OpenSSL outside of pfSense.

Note in my initial paragraph I said I had two root CAs installed in pfSense. I have since deleted CA #1 and its certificates, as I do not need them (and I am hopeful that whenever I re-export things, it will put the correct CA certs in place since there is only one saved in pfSense now).

Actions

Also available in: Atom PDF