New OpenVPN Server with external SSL cert - no export option



  • Hello guru's,

    I have run into a snag that is driving me nuts, sure as usual it is something small i am missing.

    I have several Pfsense boxes, and on them OpenVPN running fine, but i use self signed / generated certs created in Pfsense for my OpenVPN server and users to use as i use

    Remote Access TLS/SSL + User Auth

    I just put up a new box, but i have a signed SSL cert from RapidSSL i want to use instead, however i am getting the dreaded CA cert match error on the Client Export tab under OpenVPN

    NOTE: If you expect to see a certain client in the list but it is not there, it is usually due to a CA mismatch between the OpenVPN server instance and the client certificates found in the User Manager.

    I have redone the VPN server about 100 times now as well as the user as well as importing the certs, triple checking all options. using the same cert for both the server and user

    I created the CA's and Certificates using my signed .csr and .key files (i also included the primary and secondary root certs in the .csr)

    I made sure they are all using 2048bit encryption as that is what the certs were created with.

    System: User Manager

    I set up the user info and have tried both

    Click to create a user certificate. selected and not selected..

    Selecting  Click to create a user certificate. i choose the Certificate authority as my signed SSL certificate and set a Descriptive name

    This how does not show me the export option under

    OpenVPN: Client Export Utility

    Not sure what i am missing that is not allowing me to use my signed SSL cert for OpenVPN, the OpenVPN service has started and runs fine


  • Rebel Alliance Developer Netgate

    Why would you want to do that for your VPN? It gains you nothing and gives you tons of headaches.

    That said, the main problems are that the server certificate:
    1. Is not a server certificate
    2. Does not appear to have your imported CA listed as its issuer



  • Not sure, was thinking would of been nice, but if it really doesn't offer anything over self signed certs, then no reason for me to do it!

    I have been revising my network and consolidating all admin tools under a domain and using https on everything and so thought why not use the cert on VPN since i have it.

    I clearly have had the "headache" part of it so far!

    Appreciate the response.