I have good news and bad news: Good news:
* OpenVPN sends all certificates from the server supplied for --server
directive (although with a small bug that a certificate which you have private
key for
must be supplied on the top)
* OpenVPN Connect for Android can successfully connect to my server with a
chain
Bad news:
* OpenVPN 2.3 and master can't connect to this server, with both OpenSSL and
PolarSSL backends. Maybe if I supply certificates in correct order, client would
work.
On 03/04/2016 12:04 AM, ValdikSS wrote:
> Hello everyone,
>
> I'm trying to leisurely move from an old existing 1024 bit CA to a new 4096
> bit one without a hassle for a clients.
> From a X.509 perspective it shouldn't be a problem, and I already have new CA
> self-signed and cross-signed with old CA, it should work just fine.
>
> While there's no problem authenticating clients from both old and new CA
> using single instance (multiple certificates in --ca are supported, this
> information is
> documented), I need to send two certificates from OpenVPN server: server
> certificate, which is signed by new CA, and cross-signed new CA with old CA.
> This way
> it should work for clients either with old or new CA in configuration files.
>
> I can't manage server to send more than one certificate to the client. It
> seems that multiple certificates in --cert directive are supported only on
> client
> side. Am I missing something, is there a way to push multiple certificates
> from server? If there isn't a way currently, are there any protocol
> limitations which
> allows only one certificate to be sent?
>
>
signature.asc
Description: OpenPGP digital signature
