Hi, I have installed OPENVPN in my mikrotik v6.42.1
I have created my own CA, server and client certificartes.
But when I try to connect I get this error:
Mon May 07 10:59:15 2018 us=431584 ++ Certificate has key usage 00b6, expects 00a0
Mon May 07 10:59:15 2018 us=431584 ++ Certificate has key usage 00b6, expects 0088
Mon May 07 10:59:15 2018 us=431584 VERIFY KU ERROR
Mon May 07 10:59:15 2018 us=432554 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Mon May 07 10:59:15 2018 us=432554 TLS_ERROR: BIO read tls_read_plaintext error
Mon May 07 10:59:15 2018 us=432554 TLS Error: TLS object -> incoming plaintext read error
Mon May 07 10:59:15 2018 us=432554 TLS Error: TLS handshake failed
Mon May 07 10:59:15 2018 us=433555 Fatal TLS error (check_tls_errors_co), restarting
Mon May 07 10:59:15 2018 us=433555 TCP/UDP: Closing socket
this is the config in the client:
-----------------------------------------
resolv-retry infinite
nobind
persist-key
persist-tun
ca cert_Ca_Ados.crt
cert cert_Ados_client1.crt
key cert_Ados_client1.key
tls-client
remote-cert-tls server
cipher AES-256-CBC
verb 4
mute 10
------------------------------------------
I don't know how export config to a file from Mikrotik
Thanks everybody in advance
verify key usage error.
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
-
- OpenVPN User
- Posts: 39
- Joined: Thu Apr 26, 2018 2:45 pm
Re: verify key usage error.
It looks like your certificates are messed up. How did you make them?
I have no idea what a Mikrotik is. Are you able to run OpenSSL commands on it? If so, you can check your certificates like this:
openssl x509 -in ca.crt -text
openssl x509 -in server.crt -text
openssl x509 -in client.crt -text
You should get results like these:
CA:
X509v3 Key Usage: Certificate Sign, CRL Sign
Server:
X509v3 Extended Key Usage: TLS Web Server Authentication
X509v3 Key Usage: Digital Signature, Key Encipherment
Client:
X509v3 Extended Key Usage: TLS Web Client Authentication
X509v3 Key Usage: Digital Signature
I have no idea what a Mikrotik is. Are you able to run OpenSSL commands on it? If so, you can check your certificates like this:
openssl x509 -in ca.crt -text
openssl x509 -in server.crt -text
openssl x509 -in client.crt -text
You should get results like these:
CA:
X509v3 Key Usage: Certificate Sign, CRL Sign
Server:
X509v3 Extended Key Usage: TLS Web Server Authentication
X509v3 Key Usage: Digital Signature, Key Encipherment
Client:
X509v3 Extended Key Usage: TLS Web Client Authentication
X509v3 Key Usage: Digital Signature
-
- OpenVpn Newbie
- Posts: 2
- Joined: Mon May 07, 2018 9:03 am
Re: verify key usage error.
Hi bbuckm, I did "openssl x509 -in ca.crt -text" with an Ubuntu and give an issue "Error opening".
x509 it's a format for certificates? maybe i haven't exported as x509. It's mandatori for OPENVPN use this kind "x509"?
Thanks
x509 it's a format for certificates? maybe i haven't exported as x509. It's mandatori for OPENVPN use this kind "x509"?
Thanks
-
- OpenVPN User
- Posts: 39
- Joined: Thu Apr 26, 2018 2:45 pm
Re: verify key usage error.
Yes, they are X509 certificates. You can make them on Linux or you can make them on Windows. I’ve never heard of Mikrotik and dont know anything about it.