OpenVPN: Client Export Utility blank



  • Just loaded the Client Export Utility.
    Ran the wizard to create a server.
    Client Install Packages is blank so nothing to export - any ideas what I have done wrong?
    v2.2.2



  • Rebel Alliance Global Moderator

    there is no user certs to export..



  • there is no user certs to export..

    Or (in the same vein) the user certs you have created don't use the same CA as the OpenVPN Server's cert.

    The export utility treats both scenarios the same - nothing to export.



  • @divsys:

    there is no user certs to export..

    Or (in the same vein) the user certs you have created don't use the same CA as the OpenVPN Server's cert.

    The export utility treats both scenarios the same - nothing to export.

    Hmm, this is a bit of a problem in my opinion. I can imagine someone using one CA for the server cert and another for the client certs. It should be possible to do this on the cert manager with two different CAs.


  • Netgate

    An OpenVPN server has a master CA for the server and the client certificates. The CA is included in the client export so the client can use it to validate the server's certificate.

    The server certificate and client certificates must be signed by the same CA. If everything doesn't match, the client is not available for export for that particular server.

    https://openvpn.net/index.php/open-source/documentation/howto.html#pki



  • Yes I understand why the pfSense certificate manager has this limitation. However, nothing prevents you from issuing the server certificate using one CA and all of the client certificates using another CA if you're doing the certificates by hand. In fact, OpenVPN recommends this practice as security measure:

    https://openvpn.net/index.php/open-source/documentation/howto.html#secnotes



  • OK thanks for all the replies.

    I have to confess to be a bit of a certificate(d) dummy, and the CA on this pfSense was one I setup last year to have a play around.
    I think I will start with a new CA and some new certificates and go from there.


  • Netgate

    @kpa:

    Yes I understand why the pfSense certificate manager has this limitation. However, nothing prevents you from issuing the server certificate using one CA and all of the client certificates using another CA if you're doing the certificates by hand. In fact, OpenVPN recommends this practice as security measure:

    https://openvpn.net/index.php/open-source/documentation/howto.html#secnotes

    pfSense already enforces ns-cert-type server in the client export, which means client certificates cannot be used in this manner. This method is more preferable in the document you referenced than separate CAs for servers and clients.



  • Hmmm well I deleted my certificates and CA, then went from scratch.

    I followed the book accessible on the pfsense portal
    https://portal.pfsense.org/docs/book/certificates/index.html

    created CA, then a new user (with cert), then the OpenVPN wizard using the user I just made. The export is still blank.  The thing is the book describes what each of the steps do, but isn't a "how to" guide. So I've obviously missed something or got a step wrong.

    Is there a step-by-step guide to creating an OpenVPN from scratch including the CA, User, Certs and OpenVPN wizard (or shouldn't I be using the wizard?) ?

    thanks



  • @robatwork:

    created CA, then a new user (with cert), then the OpenVPN wizard using the user I just made. The export is still blank.

    This all could also be done by the wizard.

    Have you also created a server cert (type: server!) from the same CA and assigned it to the server?


  • Rebel Alliance Global Moderator

    yes the wizard walks you through creating a openvpn site and creating a ca for it, and the server cert.  But you need to create a user on your own.  You need to make sure you use the correct CA..

    Go to certificates - click add, create a new one.  Fill in the appropriate fields.. you will then see the cert in cert manager, then go to export util.




  • Thanks again.
    I gave it another go and this time chose Compression: No Preference and this seemed to make a difference - the Client Export is now populated.
    I can't say 100% it was this and not some other setting but all is working now so time to have a play  :)


  • Rebel Alliance Global Moderator

    compression has NOTHING to do with a user cert..

    I can tell you for 100% it wasn't that ;)



  • @johnpoz:

    compression has NOTHING to do with a user cert..

    I can tell you for 100% it wasn't that ;)

    Correct. If no users are listed, no users exist with a cert on the same CA as that OpenVPN instance. Has no relation to anything in the OpenVPN server config. Certs were added to users, then they showed up. As it notes there, and as expected.



  • I will create another from scratch when I am done with this project and see if I can document what happened.



  • One other thing to watch for: make sure the Server's cert is type:Server and the User's cert is type:User.
    The Wizard should lead you by the hand to the correct assignments.

    Seems logical enough, but it seems to pop up from time to time as an issue item.


  • Rebel Alliance Global Moderator

    hehe divsys seems to be more than from time to time ;)  I would say that is the vast majority of user problems is wrong cert..  What I don't get is the wizard as you stated takes you by the hand and its really pretty freaking impossible to mess it up.

    My guess is they are not using the wizard..  Which makes no sense to me either..

    Maybe their needs to be a wizard for creating the user certs as well?  So they show up in the export util..