Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CA & Certificate Import for Server and Client Side of OpenVPN

    OpenVPN
    3
    5
    3.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sohailab
      last edited by

      Hi,

      I am new to Pfsense and having following Issue regarding OpenVPN certificates on Pfsense:

      I have SSL certificates from Godaddy for both server and client side. For Server certificates, I imported a CA (Server-CA) and then imported a certificate(Server-Cert) provided by Godaddy. But problem arises when I import CA & certificate for client which is alo from Godaddy. CA (Client-CA) & Certificate(Client-Cert) was imported successfully, but client  certificate is showing server CA (Server-CA) as its ISSUER. While I have created separate CA (Client-CA) for client. Please help me to understand why is this so?

      My target is to run certificates for both Client and Server side, which are provided by Godaddy.

      Note: When I use Server certificate from Godaddy and Client certificate from Internal CA, setup work well.

      Any help will be appreciated.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Why godaddy certificates? What do you seek to gain there?

        You set the CA the server and client use to verify the other side. It makes zero difference whether that is signed by a public CA or a private one.

        You are just adding an additional, unnecessary layer.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • S
          sohailab
          last edited by

          Thanks Derelict. Are the certificates created by Internal CA secure like signed by external CA? I am just worried about the security using internal CA. Sorry for my less knowledge on SSL certificates.

          Your guidance will be appreciated.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Godaddy just issued 9000 certificates without properly validating the domain.

            I would follow this and not stray from it unless you know you need to:

            https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL)

            If anything, there can probably be a case made that the CA private key should not be present on an exterior-facing firewall. In that case you can use whatever interior CA private key management you deem necessary based on your perceived threat model.

            Using an exterior/global CA for OpenVPN just does not make a lot of sense and might open vulnerabilities such as allowing any certificate issued by them - to anyone - to pass that validation step.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              With Derelict on this - I can see zero reasons why your vpn used by your clients would need to use public CA certs..  The only time public certs need to be used is when you would have uses accessing it that need to trust the CA that you do not control their devices used to access and can not add your CA to their trust list.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.