Exported Certificates with wrong Common Names?

[tsaG]

Hi,

I recently exported Certificates generated by OPNSense for my OpenVPN connection. To use the network for servers, I wanted to supply them with static IPs using "ifconfig-push" as client override.

Hower, when checking the Certificates for the common Name, I realized that the Common Name for the Certificate is the same as the Authorities (CA). This means all the Certificates have the same common name, rendering the iconfig solution impossible.

In the Opnsense WEbGUI, the common Name is correct. Reading the actual Cert however, the CNs are identical. In this case both are "internal-sslvpn-ca", which is the CN of the CA

WebGUI:

Code Select Expand

emailAddress=info@XXXX, ST=HB, O=XXXX, L=HB, CN=nextcloud_VPN-cert, C=DE

The output of openssl x509 -noout -text -in nextcloud_VPN-cert.ovpn

Code Select Expand


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: C=DE, ST=HB, L=HB, O=XXXX/emailAddress=XXXX, CN=internal-sslvpn-ca
        Validity
            Not Before: Jul 19 15:17:05 2022 GMT
            Not After : Oct 21 15:17:05 2024 GMT
        Subject: C=DE, ST=HB, L=HB, O=XXXX/emailAddress=XXXX, CN=internal-sslvpn-ca
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)

Is this a bug?

[Fright]

Hi
with "Serial Number: 0 (0x0)" it realy looks like CA's cert. you can check X509v3 Basic Constraints CA value

[tsaG]

Yes, the X509v3 Basic Constraints CA value states it is a Cert, as it should.

I am quite sure this is a bug. I created the certificates in pfsense the same way I did on the OPNsense and it worked. The CN is now as given in the GUI and not the CA.
However, I now stay with PFsense since I installed it and it just works (as well as dyndns)