Could not locate the CA reference for the server certificate

  • Hi Guys,

    Hoping someone will be able to help me.

    Have setup CA server \ client certs for OpenVPN.  Everything appears to have gone well.  However, when I use the "export client", I get the following error : "Could not locate the CA reference for the server certificate"


    Manually exported the client certifcate to see if it looks ok - which it does.
    Re-created the client ceritifcate again - just incase it was corrupt - again, same error.

    Anyone came across this?

    Any help … much appreciated !!!


    PS.  It's a brand new install, with only one client at the moment.

  • I'm no expert but I managed to get OpenVPN working on several pfsense boxes by following this tutorial:

    Youtube Video

  • Doh !!!

    Got it working … it was the web cert. that was select under server.

    Sometimes you can see the woods for the trees.


  • Hi all,

    as this topic is the only one referring to the mentioned error message I think I should not open a new topic.

    I am getting the same error message.

    I guess it is somewhat related to the server name.

    My setup as shown: CA (server certificates are generated by which hosts my CA for my domain)
    -dyndns account which points my dynamic IP of the OVPN server to (let's say)
    -CNAME entry in my domain which points the hostname to
    -assured the CNAME entry is in place at System -> Advanced -> Admin Access -> Alternate Hostnames
    -created certificate signing requests for, got them confirmed by my ca and updated the csr, now having a valid server cert
    -created a OVPN server with SSL authentification which uses the created server certificate for
    -tried to client export the OVPN config and got the above error

    I tried to export with "Interface IP address", "DynDNS:" or "Other: (and entered".
    Every time I am getting the same error: "Could not locate the CA reference for the server certificate".

    What could this mean?

    Anyone having a clue?


  • Banned


    My setup as shown: CA (server certificates are generated by which hosts my CA for my domain)

    You might want to read these before further debugging:

  • You may need to install one or more intermediate CAs so that your firewall can follow a chain all the way back to a trusted root CA.  You can verify this by checking /etc/ssl/cert.pem, which contains the list of CA root certificates that are trusted by your device.  If the issuer on your certificate isn't in that file, then you'll need to install intermediate CA certificate(s).

    For example, we use RapidSSL certificates here.  Since RapidSSL isn't a trusted root CA, we have to install their intermediate CA certificate, which bridges back to GeoTrust, which is a trusted root CA.  (Screen shots attached.)

    ![2015-07-07 15-58-07_rtr-gw-sand.stelwagon.local - System_ Certificate Manager.png](/public/imported_attachments/1/2015-07-07 15-58-07_rtr-gw-sand.stelwagon.local - System_ Certificate Manager.png)
    ![2015-07-07 15-58-07_rtr-gw-sand.stelwagon.local - System_ Certificate Manager.png_thumb](/public/imported_attachments/1/2015-07-07 15-58-07_rtr-gw-sand.stelwagon.local - System_ Certificate Manager.png_thumb)
    ![2015-07-07 15-55-51_rtr-gw-sand.stelwagon.local - System_ Certificate Authority Manager.png](/public/imported_attachments/1/2015-07-07 15-55-51_rtr-gw-sand.stelwagon.local - System_ Certificate Authority Manager.png)
    ![2015-07-07 15-55-51_rtr-gw-sand.stelwagon.local - System_ Certificate Authority Manager.png_thumb](/public/imported_attachments/1/2015-07-07 15-55-51_rtr-gw-sand.stelwagon.local - System_ Certificate Authority Manager.png_thumb)

Log in to reply