Has anyone succeeded in getting X.509 cross certification (similar to e.g. Lets Encrypt, two different roots) to work with OpenVPN ? i.e
- server <- Intermediate 1A <- Old_Root
- server <- Intermediate 1B <- New_Root
It would be a nice way to allow deployment of New_Root before Old_Root expires, giving clients plenty of time to upgrade, without needing to set up multiple openvpn listeners.
I've tried many variants of this, unfortunately without demonstrating success. For example, using capath directive with a c_rehash'ed folder,
- Server sends an complete certificate chain (verified using Wireshark) always picking the Old_Root path for some reason. Even if that path contains expired intermediates.
- Client always picks the Old_Root path, and never picks the New_Path. So the client considers the path expired, even if an unexpired alternative path exists.