OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: remd on November 23, 2017, 07:03:19 pm

Title: openvpn using external CA doesnt work
Post by: remd on November 23, 2017, 07:03:19 pm

Using the latest 17.7.8 version of opnsense on opnsense hardware - https://www.applianceshop.eu/security-appliances/19-rack-appliances/opnsense-based/opnsense-quad-core-gen3-10gb-ssd.html

OpenVPN works fine when using a self generated CA and Certificates, the issue however is that we want to use our own CA and certificates, and this doesnt seem to work.
The issue seems to be that at SwissSign the server certificate and the user certificate are made from their respective intermediate CA (the intermediate CA is however made from the same root CA), so opnsense/openvpn seems to think that there is a mismatch.

Does anyone know if there is anything that can be configured to make it work ?

There is an issue on the pfsense forum from someone that has the same issue
https://forum.pfsense.org/index.php?topic=136116.0

And a description of the issue on the openvpn forum
https://forums.openvpn.net/viewtopic.php?f=6&t=25322

 

Title: Re: openvpn using external CA doesnt work
Post by: franco on November 23, 2017, 07:08:19 pm

Do you have the full chain imported or just your intermediate CA?


Cheers,
Franco

Title: Re: openvpn using external CA doesnt work
Post by: remd on November 24, 2017, 03:01:24 pm

I tried both ways. Full chain and only intermediate, that didnt seem to make a difference
I mean I imported the CA and then imported the intermediate as well, and in the intermediate I tried to enter only the intermediate CA and both the CA and intermediate.

Title: Re: openvpn using external CA doesnt work
Post by: remd on November 24, 2017, 03:07:39 pm

I noticed one difference between the self cert and the SwissSign one in the opnsense gui, in System, Trust, Certificates, the self cert mentions: CA:No, Server: Yes and the SwissSign mentions: CA:No, Server No

Title: Re: openvpn using external CA doesnt work
Post by: remd on November 24, 2017, 04:09:36 pm

I did some more tries, so apparently if you enter both the server and user intermediate CA in an Authority its only going to read the first one, so you have to create two Intermediate CA's and thats why it sees them as a mismatch.

The issue here, as mentioned, is that at SwissSign they use the same root CA, but a dedicated Intermediate CA for Servers and one for users, so two different intermediate CA's, and this doesnt seem to work.

Does anyone know a way to make this work ?