Well, unfortunately I have a requirement to use the Windows server 2008
certificate authority role. I have never used it before, so I am not
exactly sure what I am doing. Is the nsCertType=server something that has
to also be applied to the certificate authority? I did just realize that I
think on the command line, I need to be using -reqexts instead of
-extensions, as -extensions applies to the -x509 switch.



On Wed, Aug 20, 2014 at 11:21 AM, Jan Just Keijser <janj...@nikhef.nl>
wrote:

> Hi Derek,
>
>
> Derek Cole wrote:
>
>> Hello,
>>
>> I have been trying to figure out how to add the nsCertType=server
>> extension for certificates I am giving to my openvpn servers.
>>
>> I have a [ req ] section of my openssl.cnf file, which I have some
>> options set in, and I also have a
>> [ server ] sections which has only one line: nsCertType = server
>>
>> When I create the cert request, I do it with a command like this:
>>
>> openssl req -new -subj /CN=Name/OU=Unit/O=Org -key server.key -out
>> server.csr -config C:\cert\openssl.conf -extensions server
>>
>> However, this does not seem to be working, as I still get the VERIFY
>> nsCertType error.
>>
>> What am I doing wrong here? Also, should I be able to skip the
>> commandline -extensions option if I just make the [ req ] section have the
>> option x509_extensions = server ?
>>
>>
> why not use the easy-rsa 2.0 scripts (from openvpn 2.2+) and run
>
> . ./vars
> ./clean-all
> ./build-ca
> ./build-key-server
> ?
>
> that will automatically generate a server cert for you with the right
> extensions set.
>
> HTH,
>
> JJK
>
>
------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to