Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN with multiple intermediate certificates

    Scheduled Pinned Locked Moved OpenVPN
    1 Posts 1 Posters 577 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      Genpc
      last edited by

      Hi,

      we have one root certificate which issued 2 intermediate certificates, one intermediate issues server certificate (normal TLS) and the other one issues client certificates (like S/MIME)

      We have an OpenVPN Server on pfSense installed and issued the Servercertificate for the Server from the first intermediate certificate. We want to issue all client certificates from the other intermediate (both chain up to the same root). However, the tls authentication fails.

      Peer Authority: Root Certificate
      SSL Server Certificate: Server (issued by int1)

      Client Certificate: Client (issued by int2)

      The Client export package was created by setting the peer authority to the second intermediate which issued the client certificate. When we used one intermediate ca, we had to set it back to the root afterwards (but the authentication worked).

      Can someone give us a hint or is it not possible to use 2 different intermediates for clients and the server certificate?

      EDIT:

      errormessage in the openvpn logs:

      Sep 3 15:40:39 openvpn 44737
      Sep 3 15:40:39 openvpn 44737 82.83.203.166:34602 OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
      Sep 3 15:40:39 openvpn 44737 82.83.203.166:34602 TLS_ERROR: BIO read tls_read_plaintext error
      Sep 3 15:40:39 openvpn 44737 82.83.203.166:34602 TLS Error: TLS object -> incoming plaintext read error
      Sep 3 15:40:39 openvpn 44737 82.83.203.166:34602 TLS Error: TLS handshake failed

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.