Client Export list empty when using intermediate CA
A Root CA which has signed a VPN CA certificate.
This VPN CA signed the VPN server certificate and the VPN user certificates.
Server mode: Remote Access (SSL/TLS + User Auth)
Server certificate: A server certificate which has been signed by the VPN CA (Child of Root CA).
Certificate Depth: 2 (Client+Intermediate+Server)
Users with an assigned user certificate which has been signed by the same VPN CA (Child of Root CA).
In the OpenVPN config, there is a parameter "Peer Certificate Authority".
If this setting is set to the VPN CA, the VPN doesn't work as the certificates can't be verified. (VERIFY ERROR: depth=2, error=self signed certificate in certificate chain)
In configuration the client export list shows all configured users which can be exported.
If this setting is set to the root CA, the VPN does work as intended, but in this configuration the client export list is empty.
The client export user list should contain all users which have have the configured "Peer Certificate Authority" certificate in the complete certificate chain and not only the users with a certificate that has been signed directly by this CA.
Updated by Curtis Ruck about 5 years ago
I'm running into this also. I have a root-ca, with different intermediate CAs. the intermediate CAs allow me to segregate access to different openvpn server configurations (different subnets, i.e. internal administrative users versus external/potentially untrusted users).