Bug #6616
closedClient Export list empty when using intermediate CA
0%
Description
Certificate setup:
A Root CA which has signed a VPN CA certificate.
This VPN CA signed the VPN server certificate and the VPN user certificates.
OpenVPN Config:
Server mode: Remote Access (SSL/TLS + User Auth)
Server certificate: A server certificate which has been signed by the VPN CA (Child of Root CA).
Certificate Depth: 2 (Client+Intermediate+Server)
User Config:
Users with an assigned user certificate which has been signed by the same VPN CA (Child of Root CA).
Observed behaviour:
In the OpenVPN config, there is a parameter "Peer Certificate Authority".
1:
If this setting is set to the VPN CA, the VPN doesn't work as the certificates can't be verified. (VERIFY ERROR: depth=2, error=self signed certificate in certificate chain)
In configuration the client export list shows all configured users which can be exported.
2:
If this setting is set to the root CA, the VPN does work as intended, but in this configuration the client export list is empty.
Expected behaviour:
The client export user list should contain all users which have have the configured "Peer Certificate Authority" certificate in the complete certificate chain and not only the users with a certificate that has been signed directly by this CA.
Updated by Curtis Ruck over 8 years ago
I'm running into this also. I have a root-ca, with different intermediate CAs. the intermediate CAs allow me to segregate access to different openvpn server configurations (different subnets, i.e. internal administrative users versus external/potentially untrusted users).
Updated by Kill Bill about 8 years ago
This works just fine here with 2.3.3, sounds like duplicate of Bug #2800.