Bug #2800
closed
OpenVPN doesn't work properly with intermediate/chained CAs
0%
Description
There are two places where working with chained certificates is broken or at least weird. Background: OpenVPN always needs the whole CA chain in the --ca setting. It will also verify the client cert against the whole chain but that's not a pfSense problem.
So I've got this config: Created a Root CA with the pfSense Cert Manager. Created a VPN Intermediate CA with the Cert Manager. Created the OpenVPN server Cert within that CA and also the client certs.
In The OpenVPN settings I selected the Intermediate CA as the Peer Certificate Authority etc. I exported the client config with the OpenVPN Client Export Utility.
First issue: The OpenVPN Client Export Utility doesn't include the Root CA in the exported config thus the client will fail to connect. (Since I don't know if that package is an official pfSense package, this might be the wrong place to report this but this should be rather easy to fix.) It will fail with
VERIFY ERROR: depth=1, error=unable to get local issuer certificate: /C=DE/ST=HH/L=HH/O=Example_GmbH/emailAddress=vpnmaster@example.net/CN=Example_VPN_CA__pfSense_
Second (more important) issue: Once the previous one is fixed manually, the server will also fail to verify the client cert with
VERIFY ERROR: depth=2, error=self signed certificate in certificate chain: /C=DE/ST=HH/L=HH/O=Example_GmbH/emailAddress=hostmaster@example.net/CN=Example_Root_CA__pfSense_
If I set the Peer Certificate Authority to the Root CA, it looks like ti works (I have LDAP auth issues now but that's more than before).
This behaviour is at least weird/unintuitive and hard to debug. pfSense should either generate a proper chained cert if you select an Intermediate CA (preferred) or keep me from selecting one.
This is pfSense 2.0.2.
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by