Bug #6973
closedOpenVPN fails to verify client certificate when using intermediate CAs to sign server/user certs
0%
Description
I am using pfSense and OpenVPN with a few intermediate CAs to seperate VPN servers by project:
CA1 (our own CA, self signed, imported to pfSense without private key)) | -- CA2 (intermediate CA, created externally and imported to pfSense including private key) | -- CA3 (intermediate CA for Project1, created internally and signed using CA2) | | | -- server1 (server cert for VPN server) | | | -- user1 (user cert) | -- CA4 (intermediate CA for Project2, created internally and signed using CA2)
etc. etc.
If I configure the VPN-server for Project 1 to use CA1 as a Peer Certificate Authority, everything works nicely. However I don't want to do that of course, because I want to be able to seperate the servers for every project and only allow clients onto a project VPN that were signed by the intermediate project CA. If I set it to use CA3 as a Peer Certificate Authority, it can't verify the user cert and fails with:
VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=DE, ST=NRW, L=town, O=corp, emailAddress=xxx@bla, CN=CA3, OU=bla
The user cert in question is generated internally. It is signed by CA3 according to the GUI and, when I decode it using openssl, it has CA3 as the Issuer and CA2 as the Authority Key Identifier.
Updated by Jim Pingle about 8 years ago
- Status changed from New to Duplicate
Duplicate of #2800 which is fixed on 2.4 already.