Certificate does not have key usage extension

testsia · Apr 22, 2022, 1:58 PM

@viragomann
Do I need to restart all the OPENVPN services or is the one "OpenVPN server: Mobil-Video-CCTV_NEW"on which I conduct experiments enough?
I reloaded one"OpenVPN server: Mobil-Video-CCTV_NEW".

viragomann · Apr 22, 2022, 2:03 PM

@testsia
Yes, it's sufficient to restart a single service, but the changes only affects to the restarted services naturally.

testsia · Apr 22, 2022, 2:05 PM

@viragomann
Then I don't know what to do with this problem!
I will try to restart the whole server tonight

testsia · Apr 25, 2022, 8:41 AM

Hey!
I rebooted the server but my problem was not solved.
I went further in my experiments.
I have generated a new "CA" certificate. Generated a certificate for the server, specified them in my OPENVPN configuration and now it works fine. But as soon as I return certificates that were not generated on PFSENSE, my problem returns. Does anyone have any ideas how to solve the problem?

testsia · May 2, 2022, 3:07 PM

@testsia
Hi friends!
I went further in my experiments.
I installed Pfsense version 2.5, performed a restore from a backup.

And OPENVPN works as expected!
I can conclude that the problem is Pfsense version 2.6.
I don't know where to write to inform the developers. But the problem is exactly Pfsense version 2.6.
It does not work with certificates that were generated outside Pfsense.

testsia · May 2, 2022, 3:07 PM

@testsia
I determined what the problem is.
My client certificates do not have serverAuth and clientAuth ExtendedKeyUSage ("EKU") attribytes.
In version 2.6 this check is mandatory

Certificate does not have key usage extension
91.203.115.5:56352 VERIFY KU ERROR

Who knows how I can disable this check on the server???

jimp · May 2, 2022, 6:49 PM

@testsia said in Certificate does not have key usage extension:

Who knows how I can disable this check on the server???

That was already answered upthread.

Read https://redmine.pfsense.org/issues/13056
Install the System Patches package
Create entries in the System Patches package for 48cf54f850c5bf4fe26a8e33deb449807e71c204 and 47f2f4060d9e5b71c5c69356b61191fd2931383c
Fetch and apply both patches
Uncheck "Client Certificate Key Usage Validation" in the OpenVPN server and Save

testsia · May 3, 2022, 11:44 AM

@jimp said in Certificate does not have key usage extension:

@testsia said in Certificate does not have key usage extension:

Who knows how I can disable this check on the server???

That was already answered upthread.

Read https://redmine.pfsense.org/issues/13056

Install the System Patches package

Create entries in the System Patches package for 48cf54f850c5bf4fe26a8e33deb449807e71c204 and 47f2f4060d9e5b71c5c69356b61191fd2931383c

Fetch and apply both patches

Uncheck "Client Certificate Key Usage Validation" in the OpenVPN server and Save

I am very grateful to you!
You helped solve my problem!
Thanks!!!

webdawg · Aug 4, 2022, 5:54 PM

Ximulate · Jul 11, 2022, 1:48 PM

@jimp said in Certificate does not have key usage extension:

Uncheck "Client Certificate Key Usage Validation" in the OpenVPN server and Save

Does this create a security issue? If so, is there a proper way within pfSense to set-up the certificate so that the EKU works?

The post at the link below indicates it does:
https://superuser.com/questions/1446201/openvpn-certificate-does-not-have-key-usage-extension

jimp · Jul 11, 2022, 1:56 PM

If you create a new cert structure the cert manager in pfSense will put the proper set of attributes in everything these days.

Those certs may have been made externally or before the cert manager was adding the correct attributes.

slu · Dec 14, 2022, 1:17 PM

@jimp
thank you Jim, I'm running into the same problem with some older VPN clients/certs.