Hi, I run my own private CA with a structure like:
rootCA ---- vpnSubCA | |-------- vpnCertificate1 | |-------- vpnCertificate2 | |-------- vpnCertificate3 | |---- otherCertificate1 |---- otherCertificate2 |---- otherCertificate3 |---- otherCertificate4 I need OpenVPN to accept (for verify-x509-name and ccid-exclusive) only certificates signed by vpnSubCA, *not* any certificate signed directly by "root CA" nor by any other sub-CA of rootCA. But when I try to do that, I get on the client side an error like: VERIFY ERROR: depth=1, error=unable to get local issuer certificate: SUBJECT_OF_vpnSubCA Here's how I try to do that: On the client *and* the server, I put in the configuration file ca /etc/ssl/certs/vpnSubCA.pem I successfully got OpenVPN to work with: * On the client ca /etc/ssl/certs/rootCA.pem * On the server ca file_with_rootCA_and_vpnSubCA_concatenated But that does not do what I want. I'm using OpenVPN 2.3.4 (Debian package). Thanks in advance for any help, -- Lionel ------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
