Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication

Scripts to manage certificates or generate config files
Post Reply
pwniii
OpenVpn Newbie
Posts: 2
Joined: Wed Jul 11, 2018 5:19 pm

Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication

Post by pwniii » Wed Jul 11, 2018 5:24 pm

Hi,

I hope this is the right place to ask. I'm using a VPN Service since years with various operating systems. Recently I added a debian 9 + openvpn 2.4.0 box using the same config files like all other linux desktops. Only on Debian I get the message:

++ Certificate has key usage 00a0, expects 00a0
VERIFY KU OK
Validating certificate extended key usage
++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
VERIFY EKU OK

What does it mean and why does it only occur on the debian box? Can't find any information about it. Sounds not so good anyway?

Thank you

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 4880
Joined: Fri Jun 03, 2016 1:17 pm

Re: Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication

Post by TinCanTech » Wed Jul 11, 2018 5:42 pm

Those messages are correct and good.
pwniii wrote:
Wed Jul 11, 2018 5:24 pm
What does it mean
It means the server key usage has been correctly verified.
pwniii wrote:
Wed Jul 11, 2018 5:24 pm
why does it only occur on the debian box?
Probably because this is new and all your other boxes are out of date.

See --remote-cert-tls in the manual.

pwniii
OpenVpn Newbie
Posts: 2
Joined: Wed Jul 11, 2018 5:19 pm

Re: Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication

Post by pwniii » Sat Jul 14, 2018 6:32 pm

Thank you for the answer.

What I still consider strange is: I Used the same ISO and setup the debian 9 in exact the same way running exact the same version (2.4.0) without that message to come. The other boxes running Arch (rolling release) with a newer version then 2.4.0 and also do not showing that message. I'm a bit confused tho. Even if it's good to know it don't affect the security of the VPN connection.

Post Reply