OpenVPN fails to verify client certificate when using intermediate CAs to sign server/user certs
I am using pfSense and OpenVPN with a few intermediate CAs to seperate VPN servers by project:
CA1 (our own CA, self signed, imported to pfSense without private key)) | -- CA2 (intermediate CA, created externally and imported to pfSense including private key) | -- CA3 (intermediate CA for Project1, created internally and signed using CA2) | | | -- server1 (server cert for VPN server) | | | -- user1 (user cert) | -- CA4 (intermediate CA for Project2, created internally and signed using CA2)
If I configure the VPN-server for Project 1 to use CA1 as a Peer Certificate Authority, everything works nicely. However I don't want to do that of course, because I want to be able to seperate the servers for every project and only allow clients onto a project VPN that were signed by the intermediate project CA. If I set it to use CA3 as a Peer Certificate Authority, it can't verify the user cert and fails with:
VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=DE, ST=NRW, L=town, O=corp, emailAddress=xxx@bla, CN=CA3, OU=bla
The user cert in question is generated internally. It is signed by CA3 according to the GUI and, when I decode it using openssl, it has CA3 as the Issuer and CA2 as the Authority Key Identifier.