OpenVPN / CA Chain question

  • I've run into an odd issue.
    My server and client certificates are 3rd level.  In other words, the hierarchy  goes something like this:
    0 - Root CA
      1 - Company CA
          2 - Division CA
            3 - pfSense box
            3 - Laptop

    On the laptop, I set up openvpn with the laptop cert/key and a CA chain that includes 0, 1, and 2 above.
    The laptop verifies the certificates correctly when it connects.

    On the pfSense box I set the 'Peer Certificate Authority' to 2 (Division CA) above.  I set the server certificate to be the pfSense box.

    When the laptop tries to connect, it verifies the server certs correctly, and then times out.  The server log shows that it is complaining that the 'Root CA' is self-signed.

    I can fix this by changing the 'Peer Certificate Authority' to 0 (Root CA) and I can connect.  The down-side is that everyone else outside of my division can connect as well if they wanted to.

    How can I limit people from higher up in the chain from connecting?
    I could imagine this being bad if someone were in a situation of purchasing a certificate from Verisign or something–anyone else with a verisign cert could connect...?

Log in to reply