Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Different CA for clients and server

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 336 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gvecchi
      last edited by

      Hi guys,

      I'm unable to figure out how to accomplish configuring a different openvpn server CA from client CA.
      As per openvpn manual:

      To avoid a possible Man-in-the-Middle attack where an authorized
      client tries to connect to another client by impersonating the
      server, make sure to enforce some kind of server certificate
      verification by clients.  There are currently four different ways
      of accomplishing this, listed in the order of preference:
      
      ...
      
      (4) **Sign server certificates with one CA and client certificates
          with a different CA**.  The client config "ca" directive should
          reference the server-signing CA while the server config "ca"
          directive should reference the client-signing CA.
      

      I'm preatty sure that Peer Certificate Authority option needs to be configured with server CA, but where to configure client CA into openvpn server wizard?

      Thanks

      jimpJ 1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate @gvecchi
        last edited by

        @gvecchi said in Different CA for clients and server:

        I'm preatty sure that Peer Certificate Authority option needs to be configured with server CA, but where to configure client CA into openvpn server wizard?

        This is likely unnecessary as OpenVPN won't connect to another server if it isn't a server certificate these days. So unless the CA is compromised you won't see this kind of attack succeed.

        That said, in the above text it explains what to do. On your server, pick the CA that signed the client certificates. In the client configuration, export and use the CA that signed the server certificate. The client export package doesn't support this, so you'd have to do it manually.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • G
          gvecchi
          last edited by

          @jimp thanks for your reply.

          May the documentation need to be corrected in order to reflect this scenario?

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.