You are not logged in.

#1 2018-05-19 00:02:15

jernst
Member
From: Silicon Valley
Registered: 2014-03-04
Posts: 290
Website

Unsuccessful with OpenVPN chained certificates

I have OpenVPN working just fine between two Arch boxes, using a single Certificate Authority that issues both the client and server certs.

But I'd like to use the setup described on their wiki [1] where the client-side certs are issued by an intermediate CA (I call it "working-ca"), whose cert in turn was issued by the root CA ("root-ca"). But I'm unsuccessful:
* the client is happy
* the server reports "VERIFY ERROR: depth=1, error=invalid CA certificate: CN=working-ca"

Here's the basic algorithm I'm using:
* generate root-ca key, self-sign
* generate working-ca key, issue csr, have root-ca sign
* generate server key, issue csr, have root-ca sign
* generate client key, issue csr, have working-ca sign
* use server key, crt and root-ca on the server
* use client key, concatenation of client crt and working-ca crt as crt, and root-ca on the client

(Here's a Makefile that implements the algorithm [2] and a description which files goes where at the bottom of [3])

Chances are this is something very silly. Your help very much appreciated.


[1] https://community.openvpn.net/openvpn/w … ate_Chains
[2] https://github.com/jernst/make-openvpn- … a/Makefile
[3] https://github.com/jernst/make-openvpn- … -ca-and-ca

Offline

Board footer

Powered by FluxBB