Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Export Wizard Using Wrong Root CA Certificate

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 3 Posters 597 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      Draco
      last edited by

      This occurs using pfSense 2.4.5-RELEASE (arm) on an SG-3100.

      I had two Root CAs in pfSense's Certificate Manager. #1 is a chained, self-signed Root and Intermediate certificate pair (my Root CA plus a CA key signed with my Root CA). #2 is a pfSense-generated certificate. When I set up OpenVPN, I used CA #2 to sign the OpenVPN server certificate (CERT #1), while I spent time understanding how to use OpenSSL 1.1.1 to put the needed attributes into the certificate from CA #1.

      Yesterday I finished my research and imported the new certificate signed by #1 (along with its private key); note that the certificate contains the complete CA chain (root and intermediate) along with the server certificate. Let's call this CERT #2. After importing, I edited the Server config to switch to CA #1 as the Peer Certificate Authority, and the newly-signed certificate (by CA #1)

      All the attributes were correct, but OpenVPN was giving me an error that the Root CA was unknown. I opened the OVPN bundle file with Notepad ++ (on Windows) and was able to determine that the Intermediate CA was from #2, but the exported Root CA was from #1.

      I manually copied the correct encoded CERT data from Root CA #1's certificate file, pasted it into the OVPN file and re-exported that to iOS. Now everything works fine.

      I have two different VPN ports opened on my router, and after the first one worked I reconfigured and exported the second. Same Root CA certificate problem; also fixed with manual copy and paste.

      It seems that the OpenVPN Export error that, for some reason, grabs the wrong Root CA on a chained CA set.

      Note in my initial paragraph I said I had two root CAs. I have since deleted CA #1 and its certificates, as I do not need them (and I am hopeful that whenever I re-export things, it will put the correct CA certs in place since there is only one saved in pfSense now).

      I don't know how many people have tried exports with more than one Root CA in place, and feel that this is likely a bug.

      Thoughts/comments?

      D 1 Reply Last reply Reply Quote 0
      • D
        Draco @Draco
        last edited by

        @Draco I've posted this to Redmine: Issue #10649

        1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan
          last edited by

          I'm willing to try to reproduce this, I'm using the latest stable version, 2.4.5-p1.

          But my OpenSSL is different : OpenSSL 1.0.2u-freebsd ....
          You have 1.1.1 .... how ??

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          D 1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            See my notes on the Redmine issue. It's almost certainly not a bug, but a problem with the way you imported them and/or ambiguity in the subjects of the entries. There isn't nearly enough information here to speculate beyond that.

            Remember: Upvote with the đź‘Ť button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • D
              Draco @Gertjan
              last edited by

              @Gertjan I am running OpenSSL on my Windows development machine, not using the version on pfSense. I set up my CA long before I owned a NetGate box. I have OpenSSL 1.1.1g 21 Apr 2020, though I've been running my private CA since OpenSSL 1.01. Lots of fixes since 1.0.2.

              I am using my Root CA cert to sign an Intermediate CA Cert. It is the Intermediate CA Cert that signed the pfSense cert/key. Attributes from my pfSense cert:

              Version V3
              Signature algorithm SHA512 RSA
              Issuer : (me - I don't think you need these details... but if you do let me know)
              Valid from:‎ Saturday, ‎June ‎6, ‎2020 5:21:31 PM
              Valid to: ‎Sunday, ‎August ‎20, ‎2023 5:21:31 PM
              Subject: E = (obscured), CN = (the DNS name of my pfSense), O = (me), S = WA, C = US
              Public key: RSA (2048 bits)
              Subject & Authority Key identifier: (let me know if you need these)
              Public key params: 05 00
              Basic Constraints:Subject Type=End Entity, Path Length Constraint=None
              CRL Distribution Points: lists 1 URL on my website
              EKU: Server Authentication (1.3.6.1.5.5.7.3.1), IP security IKE intermediate (1.3.6.1.5.5.8.2.2)
              Netscape Comment: OpenSSL Generated Server Certificate
              Netscape Cert Type: SSL Server Authentication (40)
              Subject Alternative Name: (my external DNS for VPN), (repeat of CN from subject), and 2 IP addresses for the Netgate on my internal network
              Key Usage: Digital Signature, Key Encipherment, Key Agreement (a8)
              Thumbprint: (not clear you need this)

              That should be all you need to try to duplicate. Start with a CA key and a self-signed Cert. Then use that to sign an Intermediate cert (these are what I called CA #2 in my post). Then create a key/cert and sign it with the above attributes.

              Before installing on pfSense, use the GUI to generate a self-signed CA pair (CA #1 in my post).. Then create a VPN key and sign with the pfSense CA pair. Use this signed cert + key for VPN. Export client, and the router Cert should contain the CA#1 cert.

              Next install the CA #2 onto pfSense. I did that as a chained certificate as per pfSense docs (see: link text). Here is the relevant text from that doc page:

              Importing a Chained or Nested Certificate Authority
              If the CA has been signed by an intermediary and not directly by a root CA, it may be necessary to import both the root and the intermediate CA together in one entry, such as:

              -----BEGIN CERTIFICATE-----
[Subordinate/Intermediate CA certificate text]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Root CA certificate text]
-----END CERTIFICATE-----

              If you would like to save yourself the trouble of creating a CA, post a CSR in PEM format as:

              -----BEGIN CERTIFICATE REQUEST-----
... encoded data here ...
-----END CERTIFICATE REQUEST-----

              ... and I'll sign the key, valid for 30 days, for you to test with.

              Let me know if you need anymore information to try to repro.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.