Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unable to use OpenVPN with self-signed CA and Intermediate Chain

    OpenVPN
    openvpn problem intermediate ca
    1
    2
    751
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      teward
      last edited by

      I'm trying to use OpenVPN with a self-signed CA certificate which has its own intermediate CA chain.

      The chain is essentially this - from the root CA outbound:

      internal-ca
|- vpn-auth-ca
   |- OpenVPN Server Certificate (endpoint server cert, not a CA)

      (vpn-auth-ca is also the issuer of the client certificates as well)

      On the client side, I have the entire CA chain properly available for the system to figure out the issuer cert (because it didn't include internal-ca on client export).

      However, on the server side, we get some hard failures, with this:

      VERIFY ERROR: depth=1, error=unable to get issuer certificate: ... CN=vpn-auth-ca, ...

      Now, normally I would attribute this to oddness in the cert stores, however all the intermediate certs AND the root cert are in pfSense's configuration and certificate store, so the only thing I can think of is that OpenVPN is not able to construct the chain, and I'll have to do this manually, but I have no way to do that in the GUI.

      Is this a known issue, or is there a way I can work around the issue by manually defining the CA certificate chain file to use on the server side, since it's obviously incapable of constructing the chain itself.

      1 Reply Last reply Reply Quote 0
      • T
        teward
        last edited by

        OK, so deep diving, this does not function as expected in pfSense if you try and chain CA certificates. It just doesn't and hard-fails.

        The only way to do this is to use a single-tier OpenVPN Certificate Authority and then things just work. Unfortunate, but this is a solution we can work with (everything's stored in a X.509 cert management utility so nothing is lost and everything is equally secure).

        Just annoying I can't use the intermediate chains...

        1 Reply Last reply Reply Quote 0
        • First post
          Last post