OPNsense Forum

Archive => 19.1 Legacy Series => Topic started by: siegfried on March 18, 2019, 12:37:41 pm

Title: [SOLVED] Certificate check wrong result?
Post by: siegfried on March 18, 2019, 12:37:41 pm

Hello all,

i'm using certificates issued by our internal PKI, all the certs for the boxes are generated with extentedKeyUsage for serverAuth. In the past i was able to make changes in OpenVPN servers. But the GUI is showing me (since update to 19.1.4?) that the cert is not used for server use. So i cannot make any changes in OpenVPN configuration, the GUI is telling me that that "certificate is not intended for server use".
Also a certificate issued by the internal CA is unusable for OpenVPN server (same message)...what's wrong?

Thanks in advance for your help!

Title: Re: Certificate check wrong result?
Post by: siegfried on March 18, 2019, 02:03:02 pm

Solved: the cert has to be set both for keyUsage AND ExtendedKeyUsage for OpenVPN. But in the past (pre 19.1.3) it was possible a server cert just with ExtentedKeyUsage and set the client options.

Title: Re: [SOLVED] Certificate check wrong result?
Post by: sulci on April 23, 2019, 10:51:05 am

Hello!
Could you tell me, how did you do that?
Best Regards

Title: Re: [SOLVED] Certificate check wrong result?
Post by: Vincent Chen on May 19, 2019, 09:48:46 am

I just migrate to opnsense today and got the same issue. Here is how I solve this problem:

When create certificate for openvpn server, you should have 'X509v3 key usage' and
'X509v3 Extended key usage' options. My first created certificate only has 3 'X509v3 key usage'
digital signaute, non repudiation, key encipherment, and this certificate wont work instead
showed describe error above. While create seconde certificate, I also select 3 'X509v3 Extended key usage'
TLS web server, TLS web client, code signing, and this one accepted by opnsense openvpn
server.

Hope this helps