Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN CRL issuer error

    OpenVPN
    1
    1
    707
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      skaaptjop
      last edited by

      Hi all, I have a pfSense 2.2.6 system successfully running a few site-to-site OpenVPN connections.
      The setup uses a 2 tier PKI infrastructure as follows:

      • Root CA installed in cert manager

      • Intermediate CA signed by Root in cert manager

      • OpenVPN client certs signed from Intermediate CA

      • OpenVPN server cert signed from Intermediate CA

      • Cert manager created the CRLs for the Root and Intermediate CAs

      The OpenVPN server has the Intermediate CA as the Peer CA and the Intermediate CA's CRL as the Peer CRL in the config.
      The clients all have a full certificate chain installed

      The VPN works fine but I get numerous logs complaining about:

      openvpn[24740]: vpn-client-1/xx.xxx.xxx.xxx:xxxxx CRL: CRL /var/etc/openvpn/server3.crl-verify is from a different issuer than the issuer of certificate <...intermeidate CA...>

      I can't quite figure out why I get this message? I've tried all possible combinations of CAs and CRLs in the Peer settings but no difference.

      Any help greatly appreciated.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.