[SOLVED] Certificate check wrong result?

Started by siegfried, March 18, 2019, 12:37:41 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 18, 2019, 12:37:41 PM Last Edit: March 18, 2019, 04:36:18 PM by franco
Hello all,

i'm using certificates issued by our internal PKI, all the certs for the boxes are generated with extentedKeyUsage for serverAuth. In the past i was able to make changes in OpenVPN servers. But the GUI is showing me (since update to 19.1.4?) that the cert is not used for server use. So i cannot make any changes in OpenVPN configuration, the GUI is telling me that that "certificate is not intended for server use".
Also a certificate issued by the internal CA is unusable for OpenVPN server (same message)...what's wrong?

Thanks in advance for your help!
March 18, 2019, 02:03:02 PM #1
Solved: the cert has to be set both for keyUsage AND ExtendedKeyUsage for OpenVPN. But in the past (pre 19.1.3) it was possible a server cert just with ExtentedKeyUsage and set the client options.
April 23, 2019, 10:51:05 AM #2
Hello!
Could you tell me, how did you do that?
Best Regards
May 19, 2019, 09:48:46 AM #3
I just migrate to opnsense today and got the same issue. Here is how I solve this problem:

When create certificate for openvpn server, you should have 'X509v3 key usage' and
'X509v3 Extended key usage' options. My first created certificate only has 3 'X509v3 key usage'
digital signaute, non repudiation, key encipherment, and this certificate wont work instead
showed describe error above. While create seconde certificate, I also select 3 'X509v3 Extended key usage'
TLS web server, TLS web client, code signing, and this one accepted by opnsense openvpn
server.

Hope this helps
Print
Go Up Pages1
User actions