[SOLVED] Certificate check wrong result?

[siegfried]

Hello all,

i'm using certificates issued by our internal PKI, all the certs for the boxes are generated with extentedKeyUsage for serverAuth. In the past i was able to make changes in OpenVPN servers. But the GUI is showing me (since update to 19.1.4?) that the cert is not used for server use. So i cannot make any changes in OpenVPN configuration, the GUI is telling me that that "certificate is not intended for server use".
Also a certificate issued by the internal CA is unusable for OpenVPN server (same message)...what's wrong?

Thanks in advance for your help!

[siegfried]

Solved: the cert has to be set both for keyUsage AND ExtendedKeyUsage for OpenVPN. But in the past (pre 19.1.3) it was possible a server cert just with ExtentedKeyUsage and set the client options.

[sulci]

Hello!
Could you tell me, how did you do that?
Best Regards

[Vincent Chen]

I just migrate to opnsense today and got the same issue. Here is how I solve this problem:

When create certificate for openvpn server, you should have 'X509v3 key usage' and
'X509v3 Extended key usage' options. My first created certificate only has 3 'X509v3 key usage'
digital signaute, non repudiation, key encipherment, and this certificate wont work instead
showed describe error above. While create seconde certificate, I also select 3 'X509v3 Extended key usage'
TLS web server, TLS web client, code signing, and this one accepted by opnsense openvpn
server.

Hope this helps