Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Problems with multiple CAs for OpenVPN in certificate manager

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      ad
      last edited by

      hi,
      I'm currently trying to trace a problem when i have multiple (self signed)
      CAs in the certificate manager for diffreren OpenVPN server instances.

      The symptom is the following:
      I have multiple (currently 7) independent self-signed CAs in the
      certificate manager, used for different OpenVPN services.
      They were all created independently (using EasyRSA) and the imported
      into pfSense.
      Now, for some reason pfSense thinks that all certificates, including
      all other CA certificates, are signed by the last CA imported
      (it's always the last one imported, no matter which order).
      Now, i noticed this before, but it was just a minor userinterface
      issue up until and including v2.3.2_1, but with 2.3.3 this means
      that some of my vpns now no longer work, as because of commit
      eafd9cfb5e68b1d466f7627fc729078e21a23f1a, it now puts all of
      the "certificate chain" into the ca certificates for the OpenVPN
      service, which leads to validation errors, because it is not a chain
      in reality.

      has anybody else seen this behaviour and/or is it a user error on my part?

      (i have not yet stepped through the certificate manager code as i so far was looking in
      the wrong place because i thought i made some error in upgrading or
      decoding the certificates).

      any hints would be appreciated.

      regards,
      albert

      1 Reply Last reply Reply Quote 0
      • T
        TheIPdude
        last edited by

        same problem!

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          Did you make all of those with the exact same subject? If they are all (nearly) identical it may not be able to distinguish them enough to tell who made what. It tries to locate the appropriate signing CA but if they all look alike it may not separate them properly.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • A
            ad
            last edited by

            well, country, province, city org and email are identical
            (most of these CAs where created well before we started using pfsense,
            all of them where created using easy rsa)

            so yes, if pfsense tries to look at the subject to find out if they are related this could indeed
            be the reason.

            while using the same email address might not have been ideal, i don't think it's possible to change it afterwards, so i'm stuck with it…

            regards,
            albert dengg

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.