Actions
Bug #6973
closed
OpenVPN fails to verify client certificate when using intermediate CAs to sign server/user certs
Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
OpenVPN
Target version:
-
Start date:
11/29/2016
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.3.2
Affected Architecture:
Description
I am using pfSense and OpenVPN with a few intermediate CAs to seperate VPN servers by project:
CA1 (our own CA, self signed, imported to pfSense without private key))
|
-- CA2 (intermediate CA, created externally and imported to pfSense including private key)
|
-- CA3 (intermediate CA for Project1, created internally and signed using CA2)
| |
| -- server1 (server cert for VPN server)
| |
| -- user1 (user cert)
|
-- CA4 (intermediate CA for Project2, created internally and signed using CA2)
etc. etc.
If I configure the VPN-server for Project 1 to use CA1 as a Peer Certificate Authority, everything works nicely. However I don't want to do that of course, because I want to be able to seperate the servers for every project and only allow clients onto a project VPN that were signed by the intermediate project CA. If I set it to use CA3 as a Peer Certificate Authority, it can't verify the user cert and fails with:
VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=DE, ST=NRW, L=town, O=corp, emailAddress=xxx@bla, CN=CA3, OU=bla
The user cert in question is generated internally. It is signed by CA3 according to the GUI and, when I decode it using openssl, it has CA3 as the Issuer and CA2 as the Authority Key Identifier.
Updated by
Actions