OPNsense Forum
Archive => 19.1 Legacy Series => Topic started by: siegfried on March 18, 2019, 12:37:41 pm
-
Hello all,
i'm using certificates issued by our internal PKI, all the certs for the boxes are generated with extentedKeyUsage for serverAuth. In the past i was able to make changes in OpenVPN servers. But the GUI is showing me (since update to 19.1.4?) that the cert is not used for server use. So i cannot make any changes in OpenVPN configuration, the GUI is telling me that that "certificate is not intended for server use".
Also a certificate issued by the internal CA is unusable for OpenVPN server (same message)...what's wrong?
Thanks in advance for your help!
-
Solved: the cert has to be set both for keyUsage AND ExtendedKeyUsage for OpenVPN. But in the past (pre 19.1.3) it was possible a server cert just with ExtentedKeyUsage and set the client options.
-
Hello!
Could you tell me, how did you do that?
Best Regards
-
I just migrate to opnsense today and got the same issue. Here is how I solve this problem:
When create certificate for openvpn server, you should have 'X509v3 key usage' and
'X509v3 Extended key usage' options. My first created certificate only has 3 'X509v3 key usage'
digital signaute, non repudiation, key encipherment, and this certificate wont work instead
showed describe error above. While create seconde certificate, I also select 3 'X509v3 Extended key usage'
TLS web server, TLS web client, code signing, and this one accepted by opnsense openvpn
server.
Hope this helps