OpenVPN Tunnel with Intermediate certificate(s)
-
Hi,
it seems that this was not fully tested?
I need some time to figure out how it works correctly because the openvpn error messages points into the wrong direction…
Here documentation if someone also need this:Server => got external root CA imported; created intermediate CA.
Client => got external root CA + intermediate CA importedMy server holds the intermediate CA
- setting in openvpn server section certificate depth to Two..Five
But this is - for my tested selfsigned local CA - not enough. - I must also setup an additional dummy CA which holds the public intermediate cert 1st and the public selfsigned root CA below it (no keys needed).
- select the dummy Intermediate CA "Bundle" as CA (and let the CRL of the intermediate CA)
Same needed for client side:
a) dummy CA with public intermediate/root CA crt (no keys needed)
b) select dummy CA-bundlethen both sides can connect fine ;)
Feature requests:
- Possibility to verify imported certs automatically in chain if certs are imported / perhaps also if externally available as URL
- Optional : Also select on client side verify of server, verify depth for ca cert (which chain must be available imported/remote as URL)
- setting in openvpn server section certificate depth to Two..Five
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.