Have RootCA with KeyUsage extension (?)

tsaG · July 20, 2022, 09:57:43 PM

Hey!I switched from WireGuard to OpenVPN. However Truenas Scale doesn't want to eat it. When I input the OpenVPN connection Details to use Truenas as a OpenVPN Client, I get the message "Root CA must have KeyUsage extension set." I exported the Client certificates (including CA, CERT and Private Key) from OPNSense in the OpenVPN Client export section. Any ideas how to fix that? As I see, there Is no specific option to add this.

I was following the Roadwarrior OpenVPN Tutorial: https://docs.opnsense.org/manual/how-tos/sslvpn_client.html

juere · July 29, 2022, 11:51:55 AM

Seems to be a bug in OPNSense, not associated with your client cert, but (as the error message says) with your VPN Root CA, which as CA should indeed have a KeyUsage extension of type "critical" with values "Certificate Sign, CRL Sign". I just tested with OPNSense 22.1.10, internal CA's created via Webgui dont have this extension.

The only solution I can see right now, is to create a Root CA having a correct KeyUsage Extension with OpenSSL or any appropriate tool, import this into your OPNSense and reissue the client certificates using this Root CA.

franco · July 29, 2022, 12:21:46 PM

The easiest job here would be to report it at least: https://github.com/opnsense/core/issues/new?assignees=&labels=&template=bug_report.md&title=

Cheers,
Franco

juere · July 29, 2022, 12:39:21 PM

Quote from: franco on July 29, 2022, 12:21:46 PM
The easiest job here would be to report it at least: https://github.com/opnsense/core/issues/new?assignees=&labels=&template=bug_report.md&title=

done, see https://github.com/opnsense/core/issues/5912

franco · July 29, 2022, 01:08:33 PM

Thanks! We will look into it next week.

Cheers,
Franco

Have RootCA with KeyUsage extension (?)

tsaG

July 20, 2022, 09:57:43 PM

juere

July 29, 2022, 11:51:55 AM #1

franco

July 29, 2022, 12:21:46 PM #2

juere

July 29, 2022, 12:39:21 PM #3

franco

July 29, 2022, 01:08:33 PM #4