Can --extra-certs be used for a trust chain?

Scripts to manage certificates or generate config files
User avatar
ShelLuser
OpenVpn Newbie
Posts: 2
Joined: Wed Feb 08, 2017 8:10 am

Can --extra-certs be used for a trust chain?

Postby ShelLuser » Wed Feb 08, 2017 8:25 am

Hi guys,

I've setup OpenVPN between two FreeBSD servers and got everything working, however there's one thing puzzling me and I'm trying to get my fingers behind it. So I'm hoping someone can give me a hint.

I have my own CA structure, but to prevent the risk of given out certificates to be (ab)used for VPN authentication I've set up a sub-ca for the sole purpose of issuing / signing certificates for VPN usage. So my chain of trust is: root ca => vpn ca => client/server certificate (root ca signed the vpn ca certificate and this certificate was used to sign the client/server certificates). This setup works. However, the only way I could get it to work was by combining both CA certificates in one file and using --ca to point to this file. This is not fully desirable because if I read correctly this also means that the root ca is now also trusted to issue client certificates used for authentication.

Originally I specified the vpn ca using the --ca parameter, and the root ca using --extra-certs. I already determined that this doesn't work (the error being "unable to get issuer certificate") but I don't understand why. From what I read in the manualpage the --extra-certs option is used to complete the local certificate chain. And I believe that's exactly what I was doing.

Now, I am fully aware of the --verify-x509-name option which allows me to limit the accepted certificates for authentication, but that's also not the point of my post.

I'm merely trying to figure out why my chain of trust isn't working as I expected it to work.

Thanks in advance for any comments you can give me!

Nicolas Jungers
OpenVpn Newbie
Posts: 4
Joined: Wed Aug 02, 2017 9:36 am

Re: Can --extra-certs be used for a trust chain?

Postby Nicolas Jungers » Thu Aug 03, 2017 6:23 am

Hello,

I'm wondering how you did it. I just tried to do the same and end with a TLS error.

My setup is the same as yours: root ca => vpn ca => client/server certificate (root ca signed the vpn ca certificate and this certificate was used to sign the client/server certificates).

with:
server
ca keys/sub+ca.chained.crt
cert keys/server.crt
key keys/server.key


client
ca keys/sub+ca.chained.crt
cert keys/client.crt
key keys/client.key


The log says:

Code: Select all

[24278]: VERIFY OK: depth=2, CN=mydomain.net CA
[24278]: VERIFY OK: depth=1, CN=mysub subCA
[24278]: VERIFY nsCertType ERROR: CN=server.mydomain.net, require nsCertType=SERVER
[24278]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed


My server is running smartos and the client is ubuntu, but both have a fairly recent openvpn/openssl combo.

(see post viewtopic.php?f=22&t=24629#p72167)


Return to “Cert / Config management”

Who is online

Users browsing this forum: No registered users and 2 guests