Project

General

Profile

Actions

Bug #6973

closed

OpenVPN fails to verify client certificate when using intermediate CAs to sign server/user certs

Added by Harald Linden about 5 years ago. Updated about 5 years ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
OpenVPN
Target version:
-
Start date:
11/29/2016
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.3.2
Affected Architecture:

Description

I am using pfSense and OpenVPN with a few intermediate CAs to seperate VPN servers by project:

CA1 (our own CA, self signed, imported to pfSense without private key))
  |
  -- CA2 (intermediate CA, created externally and imported to pfSense including private key)
       |
       -- CA3 (intermediate CA for Project1, created internally and signed using CA2)
       |    |
       |    -- server1 (server cert for VPN server)
       |    |
       |    -- user1 (user cert)
       |
       -- CA4 (intermediate CA for Project2, created internally and signed using CA2)

etc. etc.

If I configure the VPN-server for Project 1 to use CA1 as a Peer Certificate Authority, everything works nicely. However I don't want to do that of course, because I want to be able to seperate the servers for every project and only allow clients onto a project VPN that were signed by the intermediate project CA. If I set it to use CA3 as a Peer Certificate Authority, it can't verify the user cert and fails with:

VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=DE, ST=NRW, L=town, O=corp, emailAddress=xxx@bla, CN=CA3, OU=bla 

The user cert in question is generated internally. It is signed by CA3 according to the GUI and, when I decode it using openssl, it has CA3 as the Issuer and CA2 as the Authority Key Identifier.

Actions #1

Updated by Jim Pingle about 5 years ago

  • Status changed from New to Duplicate

Duplicate of #2800 which is fixed on 2.4 already.

Actions

Also available in: Atom PDF