Hi,
I recently exported Certificates generated by OPNSense for my OpenVPN connection. To use the network for servers, I wanted to supply them with static IPs using "ifconfig-push" as client override.
Hower, when checking the Certificates for the common Name, I realized that the Common Name for the Certificate is the same as the Authorities (CA). This means all the Certificates have the same common name, rendering the iconfig solution impossible.
In the Opnsense WEbGUI, the common Name is correct. Reading the actual Cert however, the CNs are identical. In this case both are "internal-sslvpn-ca", which is the CN of the CA
WebGUI:
emailAddress=info@XXXX, ST=HB, O=XXXX, L=HB, CN=nextcloud_VPN-cert, C=DE
The output of openssl x509 -noout -text -in nextcloud_VPN-cert.ovpn
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha512WithRSAEncryption
Issuer: C=DE, ST=HB, L=HB, O=XXXX/emailAddress=XXXX, CN=internal-sslvpn-ca
Validity
Not Before: Jul 19 15:17:05 2022 GMT
Not After : Oct 21 15:17:05 2024 GMT
Subject: C=DE, ST=HB, L=HB, O=XXXX/emailAddress=XXXX, CN=internal-sslvpn-ca
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Is this a bug?
Hi
with "Serial Number: 0 (0x0)" it realy looks like CA's cert. you can check X509v3 Basic Constraints CA value
Yes, the X509v3 Basic Constraints CA value states it is a Cert, as it should.
I am quite sure this is a bug. I created the certificates in pfsense the same way I did on the OPNsense and it worked. The CN is now as given in the GUI and not the CA.
However, I now stay with PFsense since I installed it and it just works (as well as dyndns)