OPNsense Forum

English Forums => Virtual private networks => Topic started by: spi39492 on February 12, 2022, 05:24:06 pm

Title: how to limit OpenVPN to accept client certificates from one intermediate CA only
Post by: spi39492 on February 12, 2022, 05:24:06 pm

Hi all

I have a self signed CA with the following structure

Code: [Select]

root ca
|
+--- intermediate1 - server certificates
+--- intermediate3 - client certificates for wifi and app authentication
+--- intermediate4 - site2site OpenVPN certificates
+-+- intermediate5 - for historical reasons: OpenVPN client certificates for road warriors
  +--- Server Certificate for OpenVPN server: "gw_openvpn4clients"
  +--- OpenVPN user 1
  +--- ...
  +--- OpenVPN user n

The opnsense server config for the OpenVPN server looks like:

Code: [Select]

Server Mode                     Remote Access (SSL/TLS)
Peer Certificate Authority      intermediate5
Server Certificate              gw_openvpn4clients

Clients can connect to the OpenVPN server using their client certificates issued by intermediate5.

Despite the setting of "Certificate Depth" also clients with client certificates issued by intermediate3 can connect - which I didn't expect as I thought the setting "Peer Certificate Authority" would limit access to certificates from this intermediate CA only.

In the Trust/Authorities section only the root CA, intermediate1, intermediate4 and intermediate5 are imported.

How can I configure OpenVPN to only allow clients with certificates issued by intermediate5 to connect?

Edit: I found a workaround by adding "verify-hash xx:xx:xx...;" to "Advanced" in the OpenVPN server setings. But it says that this option will be removed in future, so there might be a need for something else...
xx:xx:xx... is the fingerprint of intermediate5 in my case.

Thanks in advance,
spi