Oh I see. I am using the windows certificate authority to sign the
certificate. This sounds like maybe I need to rebuild that CA with some
options to issue as a server? I thought that it was the requesting party
that could specify what kind of certificate they wanted.
On Wed, Aug 20, 2014 at 11:24 AM, Jan Just Keijser <janj...@nikhef.nl>
wrote:
> Derek Cole wrote:
>
>> Well, unfortunately I have a requirement to use the Windows server 2008
>> certificate authority role. I have never used it before, so I am not
>> exactly sure what I am doing. Is the nsCertType=server something that has
>> to also be applied to the certificate authority? I did just realize that I
>> think on the command line, I need to be using -reqexts instead of
>> -extensions, as -extensions applies to the -x509 switch.
>>
>> the thing is, the extensions are usually added by the signing party ,
> not the requesting party. Are you not using openssl to sign the
> certificate?
>
> JJK
>
>
>
>>
>> On Wed, Aug 20, 2014 at 11:21 AM, Jan Just Keijser <janj...@nikhef.nl
>> <mailto:janj...@nikhef.nl>> wrote:
>>
>> Hi Derek,
>>
>>
>> Derek Cole wrote:
>>
>> Hello,
>>
>> I have been trying to figure out how to add the
>> nsCertType=server extension for certificates I am giving to my
>> openvpn servers.
>>
>> I have a [ req ] section of my openssl.cnf file, which I have
>> some options set in, and I also have a
>> [ server ] sections which has only one line: nsCertType = server
>>
>> When I create the cert request, I do it with a command like this:
>>
>> openssl req -new -subj /CN=Name/OU=Unit/O=Org -key server.key
>> -out server.csr -config C:\cert\openssl.conf -extensions server
>>
>> However, this does not seem to be working, as I still get the
>> VERIFY nsCertType error.
>>
>> What am I doing wrong here? Also, should I be able to skip the
>> commandline -extensions option if I just make the [ req ]
>> section have the option x509_extensions = server ?
>>
>>
>> why not use the easy-rsa 2.0 scripts (from openvpn 2.2+) and run
>>
>> . ./vars
>> ./clean-all
>> ./build-ca
>> ./build-key-server
>> ?
>>
>> that will automatically generate a server cert for you with the
>> right extensions set.
>>
>> HTH,
>>
>> JJK
>>
>>
>>
>
------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds. Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
