• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[BUG] OpenVPN with external CA and certificates

Scheduled Pinned Locked Moved OpenVPN
4 Posts 2 Posters 2.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • F
    FreeMinded
    last edited by Apr 25, 2016, 3:42 PM Apr 19, 2016, 11:47 AM

    Hi all

    I'm using several pfSense boxes and I'm quite pleased with it! I have also been successfully using OpenVPN with internal CA and certificates.

    But now I would like to use an external (self-signed) CA for the server and client certificates.
    I have imported the certs of the Root CA (probably not needed) and the intermediate CA I have created (not the keys of course). Then I created a CSR on the pfSense (so the private key stays on the pfSense) which I signed with the intermediate CA (as server cert). I can successfully use this certificate for the web interface having the CAs installed in Firefox.

    Now if I use the same externally signed server cert for my OpenVPN and create a user CSR which is also signed by the intermediate CA I can not get the OpenVPN Client Export to show the users config files.

    Using an internal CA and internally created user certs, it works like expected.

    An detail which might be of interest:
    System > Certificate Manager > CAs
    Name Internal Issuer Certificates
    Root CA no self-signed 1
    Intermediate CA no Root CA 0
    Internal CA yes self-signed 3

    System > Certificate Manager > Certificates
    Name Issuer
    User Cert 1 external #signed with Intermediate CA
    Server Cert 1 external #signed with Intermediate CA
    User Cert 2 internal CA
    Server Cert 2 internal CA

    Shouldn't the issuer of User Cert 1 and Server Cert 1 be Intermediate CA and not just external?

    What am I missing?

    Among many other post I have read
    https://forum.pfsense.org/index.php?topic=103554 and https://forum.pfsense.org/index.php?topic=106213
    but it didn't really help me

    Thanks in advance for any help!

    1 Reply Last reply Reply Quote 0
    • F
      FreeMinded
      last edited by Apr 20, 2016, 7:41 PM

      I got a bit further on this and also found this bug report https://redmine.pfsense.org/issues/5317

      It works when generating the certificates outside pfSense. Still I would prefer to be able to sign the CSR coming from pfSense.

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by Apr 20, 2016, 10:20 PM

        Import your CA certs as a chain into a single CA config entry.

        1 Reply Last reply Reply Quote 0
        • F
          FreeMinded
          last edited by Apr 21, 2016, 6:36 AM

          @cmb:

          Import your CA certs as a chain into a single CA config entry.

          Actually I did that. But it does not solve the problem completely. Still CSRs generated locally and signed by the intermediate CA are showing with issuer external. However, if I generate the CSR, sign them with the intermediate CA and upload the certs BEFORE installing the Intermediate CA (ca-chain) then they are recognized as being issued by the intermediate CA once the intermediate CA is added.

          1 Reply Last reply Reply Quote 0
          4 out of 4
          • First post
            4/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received