OpenVPN with multiple intermediate certificates
we have one root certificate which issued 2 intermediate certificates, one intermediate issues server certificate (normal TLS) and the other one issues client certificates (like S/MIME)
We have an OpenVPN Server on pfSense installed and issued the Servercertificate for the Server from the first intermediate certificate. We want to issue all client certificates from the other intermediate (both chain up to the same root). However, the tls authentication fails.
Peer Authority: Root Certificate
SSL Server Certificate: Server (issued by int1)
Client Certificate: Client (issued by int2)
The Client export package was created by setting the peer authority to the second intermediate which issued the client certificate. When we used one intermediate ca, we had to set it back to the root afterwards (but the authentication worked).
Can someone give us a hint or is it not possible to use 2 different intermediates for clients and the server certificate?
errormessage in the openvpn logs:
Sep 3 15:40:39 openvpn 44737
Sep 3 15:40:39 openvpn 44737 220.127.116.11:34602 OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Sep 3 15:40:39 openvpn 44737 18.104.22.168:34602 TLS_ERROR: BIO read tls_read_plaintext error
Sep 3 15:40:39 openvpn 44737 22.214.171.124:34602 TLS Error: TLS object -> incoming plaintext read error
Sep 3 15:40:39 openvpn 44737 126.96.36.199:34602 TLS Error: TLS handshake failed