Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN / CA Chain question

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    1 Posts 1 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      darkpixel
      last edited by

      I've run into an odd issue.
      My server and client certificates are 3rd level.  In other words, the hierarchy  goes something like this:
      0 - Root CA
        1 - Company CA
            2 - Division CA
              3 - pfSense box
              3 - Laptop

      On the laptop, I set up openvpn with the laptop cert/key and a CA chain that includes 0, 1, and 2 above.
      The laptop verifies the certificates correctly when it connects.

      On the pfSense box I set the 'Peer Certificate Authority' to 2 (Division CA) above.  I set the server certificate to be the pfSense box.

      When the laptop tries to connect, it verifies the server certs correctly, and then times out.  The server log shows that it is complaining that the 'Root CA' is self-signed.

      I can fix this by changing the 'Peer Certificate Authority' to 0 (Root CA) and I can connect.  The down-side is that everyone else outside of my division can connect as well if they wanted to.

      How can I limit people from higher up in the chain from connecting?
      I could imagine this being bad if someone were in a situation of purchasing a certificate from Verisign or something–anyone else with a verisign cert could connect...?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.