Bug #4756
closed
OpenVPN Client Export fails when using "real" certificate
Added by Adam Thompson over 9 years ago.
Updated over 7 years ago.
Category:
OpenVPN Client Export
Description
Still having what appears to be the same problem as issue #1538, but in 2.2.2-RELEASE i386.
Generate a CSR from pfSense, get a signed cert (from StartSSL) for pfSense, import cert into pfSense, assign to various functions (web interface, openvpn, etc.). Works great so far.
Assign that cert to OpenVPN server, try to use openvpn client export, get failure.
"The following input errors were detected:
Could not locate the CA reference for the server certificate.
Failed to export config files!"
Public cert available for inspection at https://remote.avant.ca:8443/ and of course OpenVPN at that hostname, too.
Works perfectly with self-signed cert, but I don't want to force users to obtain and install self-signed cert, at least not until pfsense or openvpn provides a way to download it on demand.
I just figured out that if I import every cert in the chain individually into the "CA" tab, it finally works.
That's redundant, however, because those intermediate certs are already in the standard set of X509 CAs, and OpenVPN trusts it by default.
So:
1) nothing even suggested that I'd need to import the whole chain of certificates; this is the only function I've found that requires that; and
2) there's not much point in the openvpn client export including "standard" CAs in the bundle AFAIK - it just increases the size & complexity.
- Category set to OpenVPN Client Export
- Status changed from New to Confirmed
- Priority changed from Normal to Very Low
- Affected Version changed from 2.2.2 to All
Yes you have to import the chain in that case. It's stupid to use "real" certificates with OpenVPN, it's actually less secure to do so given you're granting some CA you have no control over rights to issue certs that will be trusted by your OpenVPN clients and/or servers depending on specifics of your config. The chain of trust isn't an issue in that case. You have to deploy the CA cert to clients anyway, so it's best to just use one where only you can sign the certs. I can't think of any possible circumstance where the described scenario is a good idea. You should never trust a "real" CA to issue certs for your OpenVPN.
A scenario not so bizarre:
- Company has an internal PKI that they use to issue certificates for workers (and other company resources like servers, code signing, etc.).
- They use pfSense + OpenVPN to give access to internal network resources.
- They want to "reuse" workers certificates to access such resources (since they issue CRLs and manage such PKI).
- CAs' private keys are in HSM and cannot be exported (and for security reasons only PKI software with designated devices can operate such CAs).
- Status changed from Confirmed to Not a Bug
It works fine if you import the chain, see #2800, which would include the case of a public CA (which should still never be used with openvpn) or a private but external CA.
Also available in: Atom
PDF