[BUG] OpenVPN with external CA and certificates



  • Hi all

    I'm using several pfSense boxes and I'm quite pleased with it! I have also been successfully using OpenVPN with internal CA and certificates.

    But now I would like to use an external (self-signed) CA for the server and client certificates.
    I have imported the certs of the Root CA (probably not needed) and the intermediate CA I have created (not the keys of course). Then I created a CSR on the pfSense (so the private key stays on the pfSense) which I signed with the intermediate CA (as server cert). I can successfully use this certificate for the web interface having the CAs installed in Firefox.

    Now if I use the same externally signed server cert for my OpenVPN and create a user CSR which is also signed by the intermediate CA I can not get the OpenVPN Client Export to show the users config files.

    Using an internal CA and internally created user certs, it works like expected.

    An detail which might be of interest:
    System > Certificate Manager > CAs
    Name Internal Issuer Certificates
    Root CA no self-signed 1
    Intermediate CA no Root CA 0
    Internal CA yes self-signed 3

    System > Certificate Manager > Certificates
    Name Issuer
    User Cert 1 external #signed with Intermediate CA
    Server Cert 1 external #signed with Intermediate CA
    User Cert 2 internal CA
    Server Cert 2 internal CA

    Shouldn't the issuer of User Cert 1 and Server Cert 1 be Intermediate CA and not just external?

    What am I missing?

    Among many other post I have read
    https://forum.pfsense.org/index.php?topic=103554 and https://forum.pfsense.org/index.php?topic=106213
    but it didn't really help me

    Thanks in advance for any help!



  • I got a bit further on this and also found this bug report https://redmine.pfsense.org/issues/5317

    It works when generating the certificates outside pfSense. Still I would prefer to be able to sign the CSR coming from pfSense.



  • Import your CA certs as a chain into a single CA config entry.



  • @cmb:

    Import your CA certs as a chain into a single CA config entry.

    Actually I did that. But it does not solve the problem completely. Still CSRs generated locally and signed by the intermediate CA are showing with issuer external. However, if I generate the CSR, sign them with the intermediate CA and upload the certs BEFORE installing the Intermediate CA (ca-chain) then they are recognized as being issued by the intermediate CA once the intermediate CA is added.


Log in to reply