OpenVPN CLient Export Fails to Display Certs when CA Depth > 1
-
I'm trying to use the OpenVPN Client Export plugin with a client-cert-authentication OpenVPN setup that is configured with CAs as follows:
Root CA -> Intermediate User CA -> OpenVPN User Certs
Root CA -> Intermediate Server CA -> OpenVPN Server CertI have the OpenVPN Server Peer Certificate Authority field set to "Root CA" and the client verification depth set to "Two (Client + Intermediate)". When I manually configure my VPN clients, everything works as expected.
In the latest versions of the OpenVPN Client Export Package (1.4.12) running on pfSense 2.3.4, however, this configuration causes the client export to fail to display any entries, presumably because it's not recognizing the fact that client certificates issued from the intermediate also chain up to the selected root. Instead, it just displays the "If a client is missing from the list it is likely due to a CA mismatch between the OpenVPN server instance and the client certificate, or the client certificate does not exist on this firewall." error. When I change the server config to use the Intermediate User CA directly as the Peer Certificate Authority, the client export again displays the correct user export results.
As far as I can tell this is a regression in recent versions of teh client export package, since I believe this use to work correctly,
Anyone else encountered this? Should I file a bug?
-
Under the Certificate Manager, does the Intermediate show the Root as the issuer?
What happens if you select the Intermediate in the OpenVPN server, not the root? It works when I do that, and it makes more sense that way because the root is not the issuing CA for the server certificate.
-
Under the Certificate Manager, does the Intermediate show the Root as the issuer?
Yes, the cert manager shows the correct relationships:
Root -> Self-Signed
Client Intermediate -> Issues by Root
Server Intermediate -> Issued by RootWhat happens if you select the Intermediate in the OpenVPN server, not the root? It works when I do that, and it makes more sense that way because the root is not the issuing CA for the server certificate.
Selecting the Intermediate in the OpenVPN server settings resolves the issue, but I think it used to work both ways. Indeed, there wouldn't be much point to the OpenVPN server having a "Certificate Depth" setting if the Peer Certificate Authority always needs to be the immediate client cert issuer.
As long as setting the Peer CA directly to an intermediate and not a trusted root doesn't break anything else, I can do that for now, but it would be nice if the client export worked in both cases.
-
Having it work by selecting the root does not make sense. What if you have two or more intermediates? Why should it pick one over the other? It does not consult the server certificate when deciding which CA to use, because the issuer record may not always be correct for the certificate in the certificate manager depending on how things are imported (e.g. if self-signed CAs have identical subjects it may have guessed wrong about which was used in the past), or if it was imported in an old config before the code attempted to automatically relate CAs and Certs. At that point you may as well do away with selecting the CA entirely and only select the server certificate and let it work the rest out.
The depth still makes sense because it's the total length of the chain.
-
Thanks for the thoughts.
I still think it would be reasonable for the certificate manager to list any client certs that chain up to the selected Peer Certificate Authority. After all, any of these certs would correctly validate a client when connecting to the OpenVPN server, and thus could be used in client exports. For example, what if you wanted to use multiple client intermediate CAs with a single OpenVPN server (e.g. one intermediate for employees from the China office, one for employees from the US office – in order to allow you to revoke an entire office's access quickly by revoking the relevant intermediate)? If the client export package only displays client certs directly issued by the Peer CA, and not one two or three levels below it, such a setup wouldn't be usable with the client export package.
In any case, it's not a huge deal -- for my use case, I can just set the Peer CA directly to my Intermediate.