You are not logged in.
I have OpenVPN working just fine between two Arch boxes, using a single Certificate Authority that issues both the client and server certs.
But I'd like to use the setup described on their wiki [1] where the client-side certs are issued by an intermediate CA (I call it "working-ca"), whose cert in turn was issued by the root CA ("root-ca"). But I'm unsuccessful:
* the client is happy
* the server reports "VERIFY ERROR: depth=1, error=invalid CA certificate: CN=working-ca"
Here's the basic algorithm I'm using:
* generate root-ca key, self-sign
* generate working-ca key, issue csr, have root-ca sign
* generate server key, issue csr, have root-ca sign
* generate client key, issue csr, have working-ca sign
* use server key, crt and root-ca on the server
* use client key, concatenation of client crt and working-ca crt as crt, and root-ca on the client
(Here's a Makefile that implements the algorithm [2] and a description which files goes where at the bottom of [3])
Chances are this is something very silly. Your help very much appreciated.
[1] https://community.openvpn.net/openvpn/w … ate_Chains
[2] https://github.com/jernst/make-openvpn- … a/Makefile
[3] https://github.com/jernst/make-openvpn- … -ca-and-ca
Offline