OpenVPN Tunnel with Intermediate certificate(s)



  • Hi,

    it seems that this was not fully tested?
    I need some time to figure out how it works correctly because the openvpn error messages points into the wrong direction…
    Here documentation if someone also need this:

    Server => got external root CA imported; created intermediate CA.
    Client => got external root CA + intermediate CA imported

    My server holds the intermediate CA

    1. setting in openvpn server section certificate depth to Two..Five
      But this is - for my tested selfsigned local CA - not enough.
    2. I must also setup an additional dummy CA which holds the public intermediate cert 1st and the public selfsigned root CA below it (no keys needed).
    3. select the dummy Intermediate CA "Bundle" as CA (and let the CRL of the intermediate CA)

    Same needed for client side:
    a) dummy CA with public intermediate/root CA crt (no keys needed)
    b) select dummy CA-bundle

    then both sides can connect fine ;)

    Feature requests:

    • Possibility to verify imported certs automatically in chain if certs are imported / perhaps also if externally available as URL
    • Optional : Also select on client side verify of server, verify depth for ca cert (which chain must be available imported/remote as URL)