OpenVPN Support Forum

Hi
I have been looking at
https://community.openvpn.net/openvpn/w ... ate_Chains

and the sample config for server. But I would like to do something slightly different !

I have a certificate from verisign (paid for) for the server. This is to make it easier for the clients to check authen..
But I would like to use the internal openssl CA we have for clients. The server will always have access to the CA and CRL and its a lots cheaper!

So

on the server can I load up the CA.txt with 2 CA's and in the case of verisign can I add in the intemediaries or do I add the intermediaries to the client cert and chain it ....

the question I have is why is the CA.txt for the server relevant for the server cert ....

can I just load up the server.cer file with the interm CA. and load the server CA with just my CA...

Another question .. on my CA i have the root one and a interm one for VPN clients. Can I just add the inter one to the CA.txt file or do I need all. does openvpn just trust what is in the CA.txt file or is it looking for self signed certs !

thanks

Welcome to this forum.
Let me first start with seperating the client-side "ca" and serverside "ca" file:
Serverside CA
The ca-file on the server is used for granting access to the vpn, by the server. It's doing this by cryptographicly checking whether the certificate from the connecting client is issued by (one of) the CA's in it's ca-file. In order to check the trust, it's checked upon the selfsigned root-certificate.
If all checks are correct -this means issued with (one of) the CA's AND chained up to the root, the client is granted access

In your situation, the ca-file on the server should have the root (and intermediate) cert of your own CA. Because these will be the clients granted access by youself.

Clientside CA
Every client wants to be sure it's talking to the correct VPN-server and not some mallory. So upon connection, the servers shows it's certificate to the client. And this is the place where the clientsice ca file hits in: The certificate from the server is checked upon this ca-file, upon the selfsigned root.
If this check succeeded, the client continues connecting.

In your situation the servers shows a certificate of Verisign. This means the client needs to be able to check if the server has a valid Verisign issued certificate and therefor needs the Verisign root- and intermediate certificates.
The client does not have to verify any other client, so it doesn't need to know anything about your private CA, used for issuing client-certificates.

To add-up:
[*]Yes, you need the full path upon the root into any CA-file, whether it is public or private PKI
[*]The CA-file only needs the CA-tree of the certs to be verified.

Cool, thanks, thats what i presumed and was about to test. The doco (link) confused me a bit. For some reason I though the ca.txt file on the server would be used to verify the server cert..

Thanks