Unable to use OpenVPN with self-signed CA and Intermediate Chain
-
I'm trying to use OpenVPN with a self-signed CA certificate which has its own intermediate CA chain.
The chain is essentially this - from the root CA outbound:
internal-ca |- vpn-auth-ca |- OpenVPN Server Certificate (endpoint server cert, not a CA)(
vpn-auth-cais also the issuer of the client certificates as well)On the client side, I have the entire CA chain properly available for the system to figure out the issuer cert (because it didn't include
internal-caon client export).However, on the server side, we get some hard failures, with this:
VERIFY ERROR: depth=1, error=unable to get issuer certificate: ... CN=vpn-auth-ca, ...Now, normally I would attribute this to oddness in the cert stores, however all the intermediate certs AND the root cert are in pfSense's configuration and certificate store, so the only thing I can think of is that OpenVPN is not able to construct the chain, and I'll have to do this manually, but I have no way to do that in the GUI.
Is this a known issue, or is there a way I can work around the issue by manually defining the CA certificate chain file to use on the server side, since it's obviously incapable of constructing the chain itself.
-
OK, so deep diving, this does not function as expected in pfSense if you try and chain CA certificates. It just doesn't and hard-fails.
The only way to do this is to use a single-tier OpenVPN Certificate Authority and then things just work. Unfortunate, but this is a solution we can work with (everything's stored in a X.509 cert management utility so nothing is lost and everything is equally secure).
Just annoying I can't use the intermediate chains...