OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: 8191 on March 19, 2017, 09:32:52 pm

Title: OpenVPN and Intermediate Root CA
Post by: 8191 on March 19, 2017, 09:32:52 pm
Hi,

I'm struggling with OpenVPN and a more or less simple CA hierarchy. My CA chain looks like this:

Code: [Select]
Root CA (external)
   +-- Server Certificate
   \-- Client Sub-CA (internal of OPNsense)
      +-- user1
      +-- user2
      \-- usern

All CAs are installed into OPNsense. As a "Peer Certificate Authority" I have configured the "Client Sub-CA", as this is the CA directly signing the user certificates. The OpenVPN "Server Certificate" is the Server Certificate, which is not signed by the same CA as the user certificates, but its ancestor.

When trying to connect to this OpenVPN server I receive an error of VERIFY ERROR: depth=1, error=unable to get issuer certificate: Client Sub-CA. So OpenVPN is complaining, that it cannot verify the configured "peer certificate authority". This is strange in some way, as I have configured this CA manually as a trusted certification authority, so why shall it's root be validated? :-\

Anyway, the solution to this is, simply adding the "Root CA" to the OpenVPN's certificate (/var/etc/openvpn/server1.ca), but my question is if it is a valid and intended behaviour, that OpenVPN questions my configured peer certificate authority.
Title: Re: OpenVPN and Intermediate Root CA
Post by: With Wings on March 20, 2017, 06:13:46 am
It should try to verify the signature of every Certificate Authority in the chain, up to the root. I don't know how you would configure the Root Certificate as a 'trusted certifying authority', as that phrase makes me think of windows. I would assume that BSD has to have a store of trusted Root Certificates somewhere. I haven't seen a GUI option for it though.
Title: Re: OpenVPN and Intermediate Root CA
Post by: Roupe_65 on July 06, 2017, 09:50:17 am
Thanks for sharing this information on open vpn. Recently, I took reliable services of best vpn for China (https://www.reviewsdir.com/best-china-vpn/) and got amazing services from them. I could access all the websites that I want to and really happy with their speed.