OpenVPN and Intermediate Root CA

[8191]

Hi,

I'm struggling with OpenVPN and a more or less simple CA hierarchy. My CA chain looks like this:

Code Select Expand


Root CA (external)
   +-- Server Certificate
   \-- Client Sub-CA (internal of OPNsense)
      +-- user1
      +-- user2
      \-- usern


All CAs are installed into OPNsense. As a "Peer Certificate Authority" I have configured the "Client Sub-CA", as this is the CA directly signing the user certificates. The OpenVPN "Server Certificate" is the Server Certificate, which is not signed by the same CA as the user certificates, but its ancestor.

When trying to connect to this OpenVPN server I receive an error of VERIFY ERROR: depth=1, error=unable to get issuer certificate: Client Sub-CA. So OpenVPN is complaining, that it cannot verify the configured "peer certificate authority". This is strange in some way, as I have configured this CA manually as a trusted certification authority, so why shall it's root be validated? :-\

Anyway, the solution to this is, simply adding the "Root CA" to the OpenVPN's certificate (/var/etc/openvpn/server1.ca), but my question is if it is a valid and intended behaviour, that OpenVPN questions my configured peer certificate authority.

[Arakangel Michael]

It should try to verify the signature of every Certificate Authority in the chain, up to the root. I don't know how you would configure the Root Certificate as a 'trusted certifying authority', as that phrase makes me think of windows. I would assume that BSD has to have a store of trusted Root Certificates somewhere. I haven't seen a GUI option for it though.

[Roupe_65]

Thanks for sharing this information on open vpn. Recently, I took reliable services of best vpn for China and got amazing services from them. I could access all the websites that I want to and really happy with their speed.