Problem with intermediate certificate

[fabienfs]

Hello everyone,

I have a problem with a configuration or I use an intermediate certificate.
But I have correctly followed the steps described here : https://community.openvpn.net/openvpn/w ... ate_Chains

- I have a root certificate : ca.crt
- I have a intermediary CA, signed by ca.crt : sub.crt
- I have a server certificate, signed by ca.crt : server.crt
- I have a client certificate, signed by sub.crt : client.crt

In my OpenVPN server config file :
ca ca.crt
cert server.crt

In my OpenVPN client config file :
ca ca.crt
cert chained.crt

chained.crt contains client.crt and sub.crt one after the other

But it does not work. Here is the error I get:

Code: Select all

TLS: Initial packet from [AF_INET]*****:38024, sid=58bf511f 056992ea
VERIFY ERROR: depth=1, error=invalid CA certificate: C=BE, ST=Brussels, O=MyOrganisation, CN=OpenVPN Clients, emailAddress=name@mydomain.org
TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
SIGUSR1[soft,tls-error] received, client-instance restarting

Do you have any idea where pourait come my problem? I feel that the server does not recognize the client certificate? Why?

Thanks a lot,

Fabien

[maikcat]

can you post the command used to create chained.crt file?

Michael.

[fabienfs]

can you post the command used to create chained.crt file?

I put the two certificates one after the other in a notepad (see as below). This is not good?

Code: Select all

-----BEGIN CERTIFICATE-----
...
client crt
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
intermediate crt
...
-----END CERTIFICATE-----

Is there a command to chain the certificates with OpenSSL on Windows?

Thanks

[maikcat]

first,

if notepad added cr/lf it may corrupted your file,
always use cat command inside linux to merge text files,

also AFAIK the merged file must contains: your CA + intermidiate CA.

also you can check it by using

Code: Select all

openssl verify -CAfile merged.pem IntermediateClientcert.crt

Michael.

[fabienfs]

always use cat command inside linux to merge text files

I just did the test with the CAT command, but I still have the same problem

Here is the chained certificate with the CAT command : http://www.sksgroup.com/cert/chain.crt

- ca : http://www.sksgroup.com/cert/ca.crt
- intermediary CA : http://www.sksgroup.com/cert/sub.crt
- client certificate (signed by sub.crt) : http://www.sksgroup.com/cert/client.crt

There is something wrong?

I can not use the verify command (openssl verify -CAfile chain.crt sub.crt), I always have this error:

Code: Select all

Error loading file chain.crt
1804:error:02001002:system library:fopen:No such file or directory:.\crypto\bio\bss_file.c:169:fopen('chain.crt','r')
1804:error:2006D080:BIO routines:BIO_new_file:no such file:.\crypto\bio\bss_file
.c:172:1804:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:.\crypto\x509\by_file.c:274:

thank you for the help

[maikcat]

also AFAIK the merged file must contains: your CA + intermidiate CA.

can you recreate your chain.crt by using the above statement?

please use

Code: Select all

cat ca.crt sub.crt > chain.crt

Michael.

[fabienfs]

can you recreate your chain.crt by using the above statement?

Code: Select all

cat ca.crt sub.crt > chain.crt

Ok I have create a file with the two CA (ca.crt and sub.crt) : http://www.sksgroup.com/cert/chain-ca.crt

But what do I do next with this chained certificate? I need to replace ca.crt by chain.crt in OpenVPN config file? (I tried to replace it but I still have the same error) Or is it just for the verify command?


thanks

[maikcat]

your server needs to have the stacked cert,

your client needs to have the original ca + client cert.

post both configs please.

Michael.

[fabienfs]

your server needs to have the stacked cert,

your client needs to have the original ca + client cert.

thank you very much maikcat !
it works

Is it me or the wiki about certificate chains isn't correct? https://community.openvpn.net/openvpn/w ... ate_Chains
They say that it has to be the customer who must have a chained certificate, whereas in this case it is the server that has to have it

[trut]

Just in reply to the last comment made by fabienfs "Is it me or the wiki about certificate chains isn't correct?"

It actually makes sense that the server needs the chained certificate and the user only need the root certificate. The server needs the chained CA certificates in order to validate the client certificate which was signed by the intermediary CA which was signed by the root CA. On the other hand, the client only need the root certificate to validate the server certificate. The client itself doesn't need to validate its own certificate; and as a matter of fact, it doesn't have the intermediary CA certificate to do so if you wanted to. Conversely the client doesn't need the intermediary certificate to validate the server certificate. So based on the above discussion and reported solution, this all makes perfectly good sense.