OpenVPN with multiple intermediate certificates

  • Hi,

    we have one root certificate which issued 2 intermediate certificates, one intermediate issues server certificate (normal TLS) and the other one issues client certificates (like S/MIME)

    We have an OpenVPN Server on pfSense installed and issued the Servercertificate for the Server from the first intermediate certificate. We want to issue all client certificates from the other intermediate (both chain up to the same root). However, the tls authentication fails.

    Peer Authority: Root Certificate
    SSL Server Certificate: Server (issued by int1)

    Client Certificate: Client (issued by int2)

    The Client export package was created by setting the peer authority to the second intermediate which issued the client certificate. When we used one intermediate ca, we had to set it back to the root afterwards (but the authentication worked).

    Can someone give us a hint or is it not possible to use 2 different intermediates for clients and the server certificate?


    errormessage in the openvpn logs:

    Sep 3 15:40:39 openvpn 44737
    Sep 3 15:40:39 openvpn 44737 OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
    Sep 3 15:40:39 openvpn 44737 TLS_ERROR: BIO read tls_read_plaintext error
    Sep 3 15:40:39 openvpn 44737 TLS Error: TLS object -> incoming plaintext read error
    Sep 3 15:40:39 openvpn 44737 TLS Error: TLS handshake failed