"ca md too weak". How do I use a stronger algorithm with easy-rsa?

[leovpn]

I'm lost with this OpenVPN/OpenSSL thing. I've tried to follow three different tutorials that appear to be for three different versions of the thing. Long story short, my client won't connect, and in journalclt it says "ca md too weak" which apparently means I need to use a stronger algorithm while creating my ca.crt. But how...? I'm following an easy-rsa tutorial so anything besides that is gonna throw me off. I tried setting KEY_ALG, EASYRSA_DIGEST, and EASYRSA_ALGO in the `vars` file but to no avail. It's still creating a weak CA. I can't even find a list of possible vars anywhere... someone please help

[rondeaut]

Hi Leo, I'm still learning about this issue myself, but as far as I understand it the error message is misleading. The problem is the signing of the client certificate and not the CA certificate.

I don't use easy-rsa, but I can see that openssl-easyrsa.cnf contains this:

Code: Select all

default_md	= $ENV::EASYRSA_DIGEST

default_md specifies the signing algorithm for the client cert. So setting EASYRSA_DIGEST to sha256 should fix the problem.

From your post it's unclear what you're doing. Is it the case that you updated EASYRSA_DIGEST, regenerated the CA, regenerated the client cert, connected with OpenVPN, and still got the "ca md too weak" message?

[croosman]

Hello OpenVPN community,

I am facing the same issue as OP mentioned. After updating the OpenVPN client to the latest available version, i receive the following error message: "You are using insecure hash algorithm in CA signature". By opening the log file i can see "ca md too weak".

First thing first, i have deleted all the existing certificates by running the "clean-all" script. I have also modified the openssl.cnf file by changing the default_md setting from "md5" to "sha256". Afterwards i have started the whole process from scratch as it's described in the documentation.. generating the ca.key + ca.crt; server.crt + server.key and finally a test certificate and key for myself.

Upon trying to connect i get the same old thing. It seems that by changing the default_md setting in the openssl.cnf did not do anything. I have also used the following command to find some medatada in regards to my ca.crt: "openssl x509 -in ca.crt -noout -text | grep Signature". The result is sha1WithRSAEncryption.

I would also want to point out the fact that my openvpn server is not running on a router but on a virtual machine.

Any suggestion?

Thank you!

[croosman]

Ok, i was able to resolve this one by modifying the following lines inside the pkitool bash script.
pkitool: $OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE -sha1 \
pkitool: -in "$KEY_CN.csr" $CA_EXT -md sha1 -config "$KEY_CONFIG" ) && \

Changed from sha1 to sha256. Afterwards i have recreated everything from scratch. That means CA cert+key, server cert+key, client cert+key.