[Solved] Certificate for OpenVPN: why is it "server: No"?
-
The certificate I am importing are tagged "Server: No" by pfSense and OpenVPN warns about possible issues :
Warning: The selected server certificate was not created as an SSL Server certificate and may not work as expected
The certificate was generated the exact same way I create certificates for my HTTPS websites (used by Nginx or Apache).
What is causing this "Server: No" label?
-
That value is keyed off the nsCertType flag in the certificate, which OpenVPN clients use as one of several factors in validating that a server certificate is correct.
Without that value, another user could potentially impersonate the server if they were to intercept traffic.
The flag is aging though and has been deprecated in the cert spec but it'll stick around until OpenVPN decides to drop it.
You can run an OpenVPN server without it but the client configuration needs to not include "ns-cert-type server"
-
Thanks for the explanation,
Clients don't use ns-cert-type server but they have remote-cert-tls server.
As OpenVPN server is working just fine even with this "Server: No" certificate, I'll keep it but in the mean time I'm a bit less ignorant now :)