I am running a OpenVPN Server with a two level PKI where the Server and Client certificates come from different CAs:
Code: Select all
Root CA
| |
ServerCA UserCA
| |
Server Cert Client Cert
The keys are all RSA 2048, certs are all signed with SHA256 in case it matters.
This is what the ovpn file looks like:
Code: Select all
remote vpn-entry-01.acme-company.nowhere
remote-cert-tls server
client
proto udp
dev tun
comp-lzo
verb 5
<ca>
-----BEGIN CERTIFICATE-----
Root CA
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Server CA, issued by RootCA
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
User CA, issued by RootCA
</ca>
<cert>
-----BEGIN CERTIFICATE-----
The clients certificate, issued by User CA above
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
Clients Key, I tried it with or without password
-----END RSA PRIVATE KEY-----
</key>
Code: Select all
VERIFY ERROR: depth=0, error=unable to get local issuer certificate: C=DE, DC=Acme, DC=VPN User, DC=External, CN=test.user@acme.com:phone
TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed