[BUG] OpenVPN with external CA and certificates
-
Hi all
I'm using several pfSense boxes and I'm quite pleased with it! I have also been successfully using OpenVPN with internal CA and certificates.
But now I would like to use an external (self-signed) CA for the server and client certificates.
I have imported the certs of the Root CA (probably not needed) and the intermediate CA I have created (not the keys of course). Then I created a CSR on the pfSense (so the private key stays on the pfSense) which I signed with the intermediate CA (as server cert). I can successfully use this certificate for the web interface having the CAs installed in Firefox.Now if I use the same externally signed server cert for my OpenVPN and create a user CSR which is also signed by the intermediate CA I can not get the OpenVPN Client Export to show the users config files.
Using an internal CA and internally created user certs, it works like expected.
An detail which might be of interest:
System > Certificate Manager > CAs
Name Internal Issuer Certificates
Root CA no self-signed 1
Intermediate CA no Root CA 0
Internal CA yes self-signed 3System > Certificate Manager > Certificates
Name Issuer
User Cert 1 external #signed with Intermediate CA
Server Cert 1 external #signed with Intermediate CA
User Cert 2 internal CA
Server Cert 2 internal CAShouldn't the issuer of User Cert 1 and Server Cert 1 be Intermediate CA and not just external?
What am I missing?
Among many other post I have read
https://forum.pfsense.org/index.php?topic=103554 and https://forum.pfsense.org/index.php?topic=106213
but it didn't really help meThanks in advance for any help!
-
I got a bit further on this and also found this bug report https://redmine.pfsense.org/issues/5317
It works when generating the certificates outside pfSense. Still I would prefer to be able to sign the CSR coming from pfSense.
-
Import your CA certs as a chain into a single CA config entry.
-
@cmb:
Import your CA certs as a chain into a single CA config entry.
Actually I did that. But it does not solve the problem completely. Still CSRs generated locally and signed by the intermediate CA are showing with issuer external. However, if I generate the CSR, sign them with the intermediate CA and upload the certs BEFORE installing the Intermediate CA (ca-chain) then they are recognized as being issued by the intermediate CA once the intermediate CA is added.