Project

General

Profile

Actions

Bug #6616

closed

Client Export list empty when using intermediate CA

Added by Johan Braeken over 5 years ago. Updated almost 5 years ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
OpenVPN Client Export
Target version:
-
Start date:
07/15/2016
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.3.1
Affected Plus Version:
Affected Architecture:

Description

Certificate setup:

A Root CA which has signed a VPN CA certificate.
This VPN CA signed the VPN server certificate and the VPN user certificates.

OpenVPN Config:

Server mode: Remote Access (SSL/TLS + User Auth)
Server certificate: A server certificate which has been signed by the VPN CA (Child of Root CA).
Certificate Depth: 2 (Client+Intermediate+Server)

User Config:

Users with an assigned user certificate which has been signed by the same VPN CA (Child of Root CA).

Observed behaviour:

In the OpenVPN config, there is a parameter "Peer Certificate Authority".

1:
If this setting is set to the VPN CA, the VPN doesn't work as the certificates can't be verified. (VERIFY ERROR: depth=2, error=self signed certificate in certificate chain)
In configuration the client export list shows all configured users which can be exported.

2:
If this setting is set to the root CA, the VPN does work as intended, but in this configuration the client export list is empty.

Expected behaviour:

The client export user list should contain all users which have have the configured "Peer Certificate Authority" certificate in the complete certificate chain and not only the users with a certificate that has been signed directly by this CA.

Actions #1

Updated by Curtis Ruck about 5 years ago

I'm running into this also. I have a root-ca, with different intermediate CAs. the intermediate CAs allow me to segregate access to different openvpn server configurations (different subnets, i.e. internal administrative users versus external/potentially untrusted users).

Actions #2

Updated by Kill Bill almost 5 years ago

This works just fine here with 2.3.3, sounds like duplicate of Bug #2800.

Actions #3

Updated by Jim Pingle almost 5 years ago

  • Status changed from New to Duplicate
Actions

Also available in: Atom PDF