CA & Certificate Import for Server and Client Side of OpenVPN


  • Hi,

    I am new to Pfsense and having following Issue regarding OpenVPN certificates on Pfsense:

    I have SSL certificates from Godaddy for both server and client side. For Server certificates, I imported a CA (Server-CA) and then imported a certificate(Server-Cert) provided by Godaddy. But problem arises when I import CA & certificate for client which is alo from Godaddy. CA (Client-CA) & Certificate(Client-Cert) was imported successfully, but client  certificate is showing server CA (Server-CA) as its ISSUER. While I have created separate CA (Client-CA) for client. Please help me to understand why is this so?

    My target is to run certificates for both Client and Server side, which are provided by Godaddy.

    Note: When I use Server certificate from Godaddy and Client certificate from Internal CA, setup work well.

    Any help will be appreciated.

  • LAYER 8 Netgate

    Why godaddy certificates? What do you seek to gain there?

    You set the CA the server and client use to verify the other side. It makes zero difference whether that is signed by a public CA or a private one.

    You are just adding an additional, unnecessary layer.


  • Thanks Derelict. Are the certificates created by Internal CA secure like signed by external CA? I am just worried about the security using internal CA. Sorry for my less knowledge on SSL certificates.

    Your guidance will be appreciated.

  • LAYER 8 Netgate

    Godaddy just issued 9000 certificates without properly validating the domain.

    I would follow this and not stray from it unless you know you need to:

    https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL)

    If anything, there can probably be a case made that the CA private key should not be present on an exterior-facing firewall. In that case you can use whatever interior CA private key management you deem necessary based on your perceived threat model.

    Using an exterior/global CA for OpenVPN just does not make a lot of sense and might open vulnerabilities such as allowing any certificate issued by them - to anyone - to pass that validation step.

  • LAYER 8 Global Moderator

    With Derelict on this - I can see zero reasons why your vpn used by your clients would need to use public CA certs..  The only time public certs need to be used is when you would have uses accessing it that need to trust the CA that you do not control their devices used to access and can not add your CA to their trust list.