Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
17.7 Legacy Series
»
openvpn using external CA doesnt work
« previous
next »
Print
Pages: [
1
]
Author
Topic: openvpn using external CA doesnt work (Read 4774 times)
remd
Jr. Member
Posts: 55
Karma: 5
openvpn using external CA doesnt work
«
on:
November 23, 2017, 07:03:19 pm »
Using the latest 17.7.8 version of opnsense on opnsense hardware -
https://www.applianceshop.eu/security-appliances/19-rack-appliances/opnsense-based/opnsense-quad-core-gen3-10gb-ssd.html
OpenVPN works fine when using a self generated CA and Certificates, the issue however is that we want to use our own CA and certificates, and this doesnt seem to work.
The issue seems to be that at SwissSign the server certificate and the user certificate are made from their respective intermediate CA (the intermediate CA is however made from the same root CA), so opnsense/openvpn seems to think that there is a mismatch.
Does anyone know if there is anything that can be configured to make it work ?
There is an issue on the pfsense forum from someone that has the same issue
https://forum.pfsense.org/index.php?topic=136116.0
And a description of the issue on the openvpn forum
https://forums.openvpn.net/viewtopic.php?f=6&t=25322
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: openvpn using external CA doesnt work
«
Reply #1 on:
November 23, 2017, 07:08:19 pm »
Do you have the full chain imported or just your intermediate CA?
Cheers,
Franco
Logged
remd
Jr. Member
Posts: 55
Karma: 5
Re: openvpn using external CA doesnt work
«
Reply #2 on:
November 24, 2017, 03:01:24 pm »
I tried both ways. Full chain and only intermediate, that didnt seem to make a difference
I mean I imported the CA and then imported the intermediate as well, and in the intermediate I tried to enter only the intermediate CA and both the CA and intermediate.
«
Last Edit: November 24, 2017, 03:03:48 pm by remd
»
Logged
remd
Jr. Member
Posts: 55
Karma: 5
Re: openvpn using external CA doesnt work
«
Reply #3 on:
November 24, 2017, 03:07:39 pm »
I noticed one difference between the self cert and the SwissSign one in the opnsense gui, in System, Trust, Certificates, the self cert mentions: CA:No, Server: Yes and the SwissSign mentions: CA:No, Server No
Logged
remd
Jr. Member
Posts: 55
Karma: 5
Re: openvpn using external CA doesnt work
«
Reply #4 on:
November 24, 2017, 04:09:36 pm »
I did some more tries, so apparently if you enter both the server and user intermediate CA in an Authority its only going to read the first one, so you have to create two Intermediate CA's and thats why it sees them as a mismatch.
The issue here, as mentioned, is that at SwissSign they use the same root CA, but a dedicated Intermediate CA for Servers and one for users, so two different intermediate CA's, and this doesnt seem to work.
Does anyone know a way to make this work ?
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
17.7 Legacy Series
»
openvpn using external CA doesnt work