CRL issuer error

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
skaaptjop
OpenVpn Newbie
Posts: 1
Joined: Wed Feb 24, 2016 6:02 pm

CRL issuer error

Post by skaaptjop » Wed Feb 24, 2016 6:09 pm

Hi all,
I have a pfSense 2.2.6 system successfully running 25 site-to-site OpenVPN connections.
The setup uses a 2 tier PKI infrastructure as follows:
  • Root CA installed in cert manager
    Intermediate CA signed by Root in cert manager
    OpenVPN client certs signed from Intermediate CA
    OpenVPN server cert signed from Intermediate CA
    Cert manager created the CRLs for the Root and Intermediate CAs
    The OpenVPN server has the Intermediate CA as the Peer CA and the Intermediate CA's CRL as the Peer CRL in the config.
    The clients all have a full certificate chain installed
The VPN works fine but I get numerous logs complaining about:

Code: Select all

openvpn[24740]: vpn-client-1/xx.xxx.xxx.xxx:xxxxx CRL: CRL /var/etc/openvpn/server3.crl-verify is from a different issuer than the issuer of certificate <...intermeidate CA...>
I can't quite figure out why I get this message? I've tried all possible combinations of CAs and CRLs in the Peer settings but no difference.

Any help greatly appreciated.

Post Reply