verify key usage error.

Scripts to manage certificates or generate config files
Post Reply
Ados
OpenVpn Newbie
Posts: 2
Joined: Mon May 07, 2018 9:03 am

verify key usage error.

Post by Ados » Mon May 07, 2018 9:13 am

Hi, I have installed OPENVPN in my mikrotik v6.42.1

I have created my own CA, server and client certificartes.

But when I try to connect I get this error:

Mon May 07 10:59:15 2018 us=431584 ++ Certificate has key usage 00b6, expects 00a0
Mon May 07 10:59:15 2018 us=431584 ++ Certificate has key usage 00b6, expects 0088

Mon May 07 10:59:15 2018 us=431584 VERIFY KU ERROR
Mon May 07 10:59:15 2018 us=432554 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Mon May 07 10:59:15 2018 us=432554 TLS_ERROR: BIO read tls_read_plaintext error
Mon May 07 10:59:15 2018 us=432554 TLS Error: TLS object -> incoming plaintext read error
Mon May 07 10:59:15 2018 us=432554 TLS Error: TLS handshake failed
Mon May 07 10:59:15 2018 us=433555 Fatal TLS error (check_tls_errors_co), restarting
Mon May 07 10:59:15 2018 us=433555 TCP/UDP: Closing socket



this is the config in the client:
-----------------------------------------
resolv-retry infinite
nobind
persist-key
persist-tun
ca cert_Ca_Ados.crt
cert cert_Ados_client1.crt
key cert_Ados_client1.key
tls-client
remote-cert-tls server
cipher AES-256-CBC
verb 4
mute 10
------------------------------------------

I don't know how export config to a file from Mikrotik


Thanks everybody in advance

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 4898
Joined: Fri Jun 03, 2016 1:17 pm

Re: verify key usage error.

Post by TinCanTech » Mon May 07, 2018 11:38 am

Please use:
https://github.com/OpenVPN/easy-rsa/releases

Then upload the files to your device.

bbuckm
OpenVPN User
Posts: 41
Joined: Thu Apr 26, 2018 2:45 pm

Re: verify key usage error.

Post by bbuckm » Mon May 07, 2018 11:42 am

It looks like your certificates are messed up. How did you make them?

I have no idea what a Mikrotik is. Are you able to run OpenSSL commands on it? If so, you can check your certificates like this:

openssl x509 -in ca.crt -text
openssl x509 -in server.crt -text
openssl x509 -in client.crt -text

You should get results like these:

CA:
X509v3 Key Usage: Certificate Sign, CRL Sign

Server:
X509v3 Extended Key Usage: TLS Web Server Authentication
X509v3 Key Usage: Digital Signature, Key Encipherment

Client:
X509v3 Extended Key Usage: TLS Web Client Authentication
X509v3 Key Usage: Digital Signature

Ados
OpenVpn Newbie
Posts: 2
Joined: Mon May 07, 2018 9:03 am

Re: verify key usage error.

Post by Ados » Mon May 07, 2018 2:36 pm

Hi bbuckm, I did "openssl x509 -in ca.crt -text" with an Ubuntu and give an issue "Error opening".

x509 it's a format for certificates? maybe i haven't exported as x509. It's mandatori for OPENVPN use this kind "x509"?

Thanks

bbuckm
OpenVPN User
Posts: 41
Joined: Thu Apr 26, 2018 2:45 pm

Re: verify key usage error.

Post by bbuckm » Mon May 07, 2018 2:56 pm

Yes, they are X509 certificates. You can make them on Linux or you can make them on Windows. I’ve never heard of Mikrotik and dont know anything about it.

Post Reply