Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [BUG] OpenVPN with external CA and certificates

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      FreeMinded
      last edited by

      Hi all

      I'm using several pfSense boxes and I'm quite pleased with it! I have also been successfully using OpenVPN with internal CA and certificates.

      But now I would like to use an external (self-signed) CA for the server and client certificates.
      I have imported the certs of the Root CA (probably not needed) and the intermediate CA I have created (not the keys of course). Then I created a CSR on the pfSense (so the private key stays on the pfSense) which I signed with the intermediate CA (as server cert). I can successfully use this certificate for the web interface having the CAs installed in Firefox.

      Now if I use the same externally signed server cert for my OpenVPN and create a user CSR which is also signed by the intermediate CA I can not get the OpenVPN Client Export to show the users config files.

      Using an internal CA and internally created user certs, it works like expected.

      An detail which might be of interest:
      System > Certificate Manager > CAs
      Name Internal Issuer Certificates
      Root CA no self-signed 1
      Intermediate CA no Root CA 0
      Internal CA yes self-signed 3

      System > Certificate Manager > Certificates
      Name Issuer
      User Cert 1 external #signed with Intermediate CA
      Server Cert 1 external #signed with Intermediate CA
      User Cert 2 internal CA
      Server Cert 2 internal CA

      Shouldn't the issuer of User Cert 1 and Server Cert 1 be Intermediate CA and not just external?

      What am I missing?

      Among many other post I have read
      https://forum.pfsense.org/index.php?topic=103554 and https://forum.pfsense.org/index.php?topic=106213
      but it didn't really help me

      Thanks in advance for any help!

      1 Reply Last reply Reply Quote 0
      • F
        FreeMinded
        last edited by

        I got a bit further on this and also found this bug report https://redmine.pfsense.org/issues/5317

        It works when generating the certificates outside pfSense. Still I would prefer to be able to sign the CSR coming from pfSense.

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          Import your CA certs as a chain into a single CA config entry.

          1 Reply Last reply Reply Quote 0
          • F
            FreeMinded
            last edited by

            @cmb:

            Import your CA certs as a chain into a single CA config entry.

            Actually I did that. But it does not solve the problem completely. Still CSRs generated locally and signed by the intermediate CA are showing with issuer external. However, if I generate the CSR, sign them with the intermediate CA and upload the certs BEFORE installing the Intermediate CA (ca-chain) then they are recognized as being issued by the intermediate CA once the intermediate CA is added.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.