Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [Solved] Certificate for OpenVPN: why is it "server: No"?

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      CDuv
      last edited by

      The certificate I am importing are tagged "Server: No" by pfSense and OpenVPN warns about possible issues :

      Warning: The selected server certificate was not created as an SSL Server certificate and may not work as expected

      The certificate was generated the exact same way I create certificates for my HTTPS websites (used by Nginx or Apache).

      What is causing this "Server: No" label?

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        That value is keyed off the nsCertType flag in the certificate, which OpenVPN clients use as one of several factors in validating that a server certificate is correct.

        Without that value, another user could potentially impersonate the server if they were to intercept traffic.

        The flag is aging though and has been deprecated in the cert spec but it'll stick around until OpenVPN decides to drop it.

        You can run an OpenVPN server without it but the client configuration needs to not include "ns-cert-type server"

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • C
          CDuv
          last edited by

          Thanks for the explanation,

          Clients don't use ns-cert-type server but they have remote-cert-tls server.

          As OpenVPN server is working just fine even with this "Server: No" certificate, I'll keep it but in the mean time I'm a bit less ignorant now :)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.