I've hit a bit of snag configuring OpenVPN to use an internal CA, and I was hoping someone here might be able to tell me categorically whether what I'm trying to do will work or not.
My basic requirement is that I need to create a number of VPNs, and I want to prevent users of a given VPN being able to use their client certificate to access the other VPNs. I have my own private CA (OpenSSL) already, so my idea was that I could use my root certificate to issue an intermediate certificate for each VPN I create. I would then issue client certificates using the intermediate, and configure each VPN to use one the appropriate intermediate cert as a CA.
In my testing however, it seems that this does not work. Despite configuring the intermediate cert as the CA, it seems OpenVPN still checks up the chain all the way to the root, and unless that root CA is trusted, the connection fails, with OpenVPN complaining about a self-signed certificate in the chain.
So my questions are:
* Is this expected behaviour?
* Is there some other way to achieve the separation I want? I've considered separate CAs altogether, and also a client-connect script. Are there other options?
Thanks!
Issuing client certs with a CA intermediate cert.
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
vortura
- OpenVpn Newbie
- Posts: 1
- Joined: Thu Jul 02, 2015 10:15 am