No support for intermediate CA?

[janjust]

sounds like a bug indeed but you should be able to work around it by pushing the CA+intermediate CA from the server side (by adding the intermediate CA to the server.crt file).

[erikvl]

Hi,

I have a setup with a VPN server, a primary CA and an intermediate CA.
All certificates are issue by the intermediate CA.

When I create a unified ovpn profile, with the certificate of the intermediate CA and of the primary CA in the <ca> section, I cannot connect from an Android device with OpenVNP Connect.
If I try to connect with the same profile directly from a Linux command line, the connection succeeds.

If I create a profile with a certificate issued by the primary CA, the connection succeeds on Android to, which leeds me to conclude that the Android version of OpenVPN connect does not support intermediate CA's.

Will this be fixed any time soon?

regards,
Erik

[jamesyonan]

OpenVPN Connect fully supports intermediate certificates. There must be something else amiss here.

James

[erikvl]

OpenVPN Connect fully supports intermediate certificates. There must be something else amiss here.

Certainly there is

However, I don't know what.

I am using a unified profile that works perfectly if OpenVPN is started from a Linux command line. But the same profile failes with OpenVPN Connect for Android as downloaded from the play store.

So I am hoping for some assistance in finding out what goes wrong.

Erik

[erikvl]

Can someone please help me with this? Or can someone point me to where I can file this as a bug? It must be, because the same profile works with the openvpn binary, but not with openvpn connect.

thanks,
Erik

[erikvl]

To recap, I have a primary CA that has created a server certificate for the OpenVPN server. I also have an intermediate CA, inter-ca, that has been granted the privilege by the primary to sign certificates.

So, if I create a client certificate it will be signed by inter-ca.

All of this has been created with the tools and instructions from the easy-rsa kit.

As it turns out, the correct syntax for OpenVPN Connect is that in the <cert> section, I put the client certificate first and the certificate of the intermediate CA second.

In the <ca> section, I put the certificate of the CA.

However, if I use such a profile with the openvpn command line tool from a Linux workstation, it does NOT work. The server claims a client certificate is missing.

For the command line tool, I have to put the certificate of the intermediate ca in the <ca> section.


So clearly, there is a conflict here. The command line version I tested on is 2.2.1 BTW.