Can --extra-certs be used for a trust chain?
Posted: Wed Feb 08, 2017 8:25 am
Hi guys,
I've setup OpenVPN between two FreeBSD servers and got everything working, however there's one thing puzzling me and I'm trying to get my fingers behind it. So I'm hoping someone can give me a hint.
I have my own CA structure, but to prevent the risk of given out certificates to be (ab)used for VPN authentication I've set up a sub-ca for the sole purpose of issuing / signing certificates for VPN usage. So my chain of trust is: root ca => vpn ca => client/server certificate (root ca signed the vpn ca certificate and this certificate was used to sign the client/server certificates). This setup works. However, the only way I could get it to work was by combining both CA certificates in one file and using --ca to point to this file. This is not fully desirable because if I read correctly this also means that the root ca is now also trusted to issue client certificates used for authentication.
Originally I specified the vpn ca using the --ca parameter, and the root ca using --extra-certs. I already determined that this doesn't work (the error being "unable to get issuer certificate") but I don't understand why. From what I read in the manualpage the --extra-certs option is used to complete the local certificate chain. And I believe that's exactly what I was doing.
Now, I am fully aware of the --verify-x509-name option which allows me to limit the accepted certificates for authentication, but that's also not the point of my post.
I'm merely trying to figure out why my chain of trust isn't working as I expected it to work.
Thanks in advance for any comments you can give me!
I've setup OpenVPN between two FreeBSD servers and got everything working, however there's one thing puzzling me and I'm trying to get my fingers behind it. So I'm hoping someone can give me a hint.
I have my own CA structure, but to prevent the risk of given out certificates to be (ab)used for VPN authentication I've set up a sub-ca for the sole purpose of issuing / signing certificates for VPN usage. So my chain of trust is: root ca => vpn ca => client/server certificate (root ca signed the vpn ca certificate and this certificate was used to sign the client/server certificates). This setup works. However, the only way I could get it to work was by combining both CA certificates in one file and using --ca to point to this file. This is not fully desirable because if I read correctly this also means that the root ca is now also trusted to issue client certificates used for authentication.
Originally I specified the vpn ca using the --ca parameter, and the root ca using --extra-certs. I already determined that this doesn't work (the error being "unable to get issuer certificate") but I don't understand why. From what I read in the manualpage the --extra-certs option is used to complete the local certificate chain. And I believe that's exactly what I was doing.
Now, I am fully aware of the --verify-x509-name option which allows me to limit the accepted certificates for authentication, but that's also not the point of my post.
I'm merely trying to figure out why my chain of trust isn't working as I expected it to work.
Thanks in advance for any comments you can give me!