Bug #6616
closed
Client Export list empty when using intermediate CA
0%
Description
Certificate setup:
A Root CA which has signed a VPN CA certificate.
This VPN CA signed the VPN server certificate and the VPN user certificates.
OpenVPN Config:
Server mode: Remote Access (SSL/TLS + User Auth)
Server certificate: A server certificate which has been signed by the VPN CA (Child of Root CA).
Certificate Depth: 2 (Client+Intermediate+Server)
User Config:
Users with an assigned user certificate which has been signed by the same VPN CA (Child of Root CA).
Observed behaviour:
In the OpenVPN config, there is a parameter "Peer Certificate Authority".
1:
If this setting is set to the VPN CA, the VPN doesn't work as the certificates can't be verified. (VERIFY ERROR: depth=2, error=self signed certificate in certificate chain)
In configuration the client export list shows all configured users which can be exported.
2:
If this setting is set to the root CA, the VPN does work as intended, but in this configuration the client export list is empty.
Expected behaviour:
The client export user list should contain all users which have have the configured "Peer Certificate Authority" certificate in the complete certificate chain and not only the users with a certificate that has been signed directly by this CA.
Updated by 
Updated by Kill Bill 
Updated by