Setup two intermediate CA certs

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
enric1994
OpenVpn Newbie
Posts: 2
Joined: Tue Jul 03, 2018 10:09 am

Setup two intermediate CA certs

Post by enric1994 » Tue Jul 03, 2018 10:40 am

Greetings,
I am struggling with OpenVPN for Docker: https://github.com/kylemanna/docker-openvpn :oops:
(Version 2.4.4)

My setup is the following:
- Root CA
- Intermediate CA 1
- Intermediate CA 2
- Server certified by Intermediate CA 1
- Client certified by Intermediate CA 2

Client used: OpenVPN for Android (6)

Certificates configuration:
-Server:
ca stacked.crt
cert server.crt
key server.key

-Client:
ca stacked.crt
cert client.crt
key client.key

I am getting the typical error: verify error depth=0 error=unable to get local issuer certificate


Any idea? I followed the chains guide: https://community.openvpn.net/openvpn/w ... ate_Chains

Thanks!

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 4896
Joined: Fri Jun 03, 2016 1:17 pm

Re: Setup two intermediate CA certs

Post by TinCanTech » Tue Jul 03, 2018 2:35 pm

enric1994 wrote:
Tue Jul 03, 2018 10:40 am
My setup is the following:
- Root CA
- Intermediate CA 1
- Intermediate CA 2
- Server certified by Intermediate CA 1
- Client certified by Intermediate CA 2
That is not how the example you followed is created ..

Then you go on to use a "stacked" CA not, as the example explains, a "chained" certificate.

Please follow the example properly and let us know if it works then.

enric1994
OpenVpn Newbie
Posts: 2
Joined: Tue Jul 03, 2018 10:09 am

Re: Setup two intermediate CA certs

Post by enric1994 » Thu Jul 05, 2018 8:54 am

Good morning,
I know that my PKI is different from the example (server cert is issued by an intermediate), that's why I tried the with the stacked. And modifying my PKI hierarchy is not an option.

I also tried the recommended configuration of the chains guide:
On the server:
ca ca.crt
cert server.crt
On the client:
ca ca.crt
cert chained.crt

But still with the "verify error depth=0 error=unable to get local issuer certificate"

Which configuration I should apply?

Post Reply