OpenVPN Support Forum

Posted: **Mon May 07, 2018 9:13 am**

Hi, I have installed OPENVPN in my mikrotik v6.42.1

I have created my own CA, server and client certificartes.

But when I try to connect I get this error:

Mon May 07 10:59:15 2018 us=431584 ++ Certificate has key usage 00b6, expects 00a0
Mon May 07 10:59:15 2018 us=431584 ++ Certificate has key usage 00b6, expects 0088
Mon May 07 10:59:15 2018 us=431584 VERIFY KU ERROR
Mon May 07 10:59:15 2018 us=432554 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Mon May 07 10:59:15 2018 us=432554 TLS_ERROR: BIO read tls_read_plaintext error
Mon May 07 10:59:15 2018 us=432554 TLS Error: TLS object -> incoming plaintext read error
Mon May 07 10:59:15 2018 us=432554 TLS Error: TLS handshake failed
Mon May 07 10:59:15 2018 us=433555 Fatal TLS error (check_tls_errors_co), restarting
Mon May 07 10:59:15 2018 us=433555 TCP/UDP: Closing socket

this is the config in the client:
-----------------------------------------
resolv-retry infinite
nobind
persist-key
persist-tun
ca cert_Ca_Ados.crt
cert cert_Ados_client1.crt
key cert_Ados_client1.key
tls-client
remote-cert-tls server
cipher AES-256-CBC
verb 4
mute 10
------------------------------------------

I don't know how export config to a file from Mikrotik

Thanks everybody in advance

Posted: **Mon May 07, 2018 11:38 am**

Please use:
https://github.com/OpenVPN/easy-rsa/releases

Then upload the files to your device.

Posted: **Mon May 07, 2018 11:42 am**

It looks like your certificates are messed up. How did you make them?

I have no idea what a Mikrotik is. Are you able to run OpenSSL commands on it? If so, you can check your certificates like this:

openssl x509 -in ca.crt -text
openssl x509 -in server.crt -text
openssl x509 -in client.crt -text

You should get results like these:

CA:
X509v3 Key Usage: Certificate Sign, CRL Sign

Server:
X509v3 Extended Key Usage: TLS Web Server Authentication
X509v3 Key Usage: Digital Signature, Key Encipherment

Client:
X509v3 Extended Key Usage: TLS Web Client Authentication
X509v3 Key Usage: Digital Signature

Posted: **Mon May 07, 2018 2:36 pm**

Hi bbuckm, I did "openssl x509 -in ca.crt -text" with an Ubuntu and give an issue "Error opening".

x509 it's a format for certificates? maybe i haven't exported as x509. It's mandatori for OPENVPN use this kind "x509"?

Thanks

Posted: **Mon May 07, 2018 2:56 pm**

Yes, they are X509 certificates. You can make them on Linux or you can make them on Windows. I’ve never heard of Mikrotik and dont know anything about it.

OpenVPN Support Forum

verify key usage error.

verify key usage error.

Re: verify key usage error.

Re: verify key usage error.

Re: verify key usage error.

Re: verify key usage error.