OpenVPN Support Forum

What is the right way to manage CA certificate renewal? I think there is bug in OpenVPN 2.3 in CA certificate management.

I was using OpenVPN 2.1 with this renewal workflow:
- top level is root certficate with very long expiration date
- intermediate certificate has 2 year expiration date
- user certificates have 1 year expiration date

Each year I renew intermediate certificate, so every time I have 2 valid intermediate certificates with overlapping valid dates. It is obvious practice used to deploy user certificated.

It was fully correct to import 2 intermediate certificates with the same subject in OpenVPN 2.1, but in 2.3 I get this errors, and VPN fails to start:
Tue Feb 28 10:15:50 2017 us=824985 Cannot load CA certificate file user-vpn/CA.pem (entry 3 did not validate)
Tue Feb 28 10:15:50 2017 us=825544 Cannot load CA certificate file user-vpn/CA.pem (entry 4 did not validate)
Tue Feb 28 10:15:50 2017 us=825867 Cannot load CA certificate file user-vpn/CA.pem (only 2 of 4 entries were valid X509 names) (OpenSSL)
Tue Feb 28 10:15:50 2017 us=826195 Exiting due to fatal error

Is that Openvpn-2.3.14 ?

Debian stable - Jessie version: 2.3.4-5
Is this fixed in later versions?

Main problem is that overlapping certificates have the same subject.

Really nobody faced this problem? How are you renewing CA certificate? Always creating new certificate with different subject?