[Openvpn-users] Server vs Client cert generation

[Gregory Sloop]

So, IMO, EasyRSA is pretty broken.

[I'll skip the discussion about why. Go try to run it on Windows and see how 
that works, then then we can talk. Also, key encryption defaults.]

I also often need to generate certs for other things and GNU TLS's CertTool 
works pretty well.
I'd like to use one tool to generate all the certificates I generally need - 
it's just easier to keep track of, document etc.

However when I go to generate certs for OpenVPN usage with certtool, it appears 
I have a problem with the "server" attribute.

While I have the following in the certs...
---
        Extensions:
                Basic Constraints (critical):
                        Certificate Authority (CA): FALSE
                Subject Alternative Name (not critical):
                        DNSname: abc-ovpn-server-01
                Key Purpose (not critical):
                        TLS WWW Server.
                Key Usage (critical):
                        Key encipherment.
                Subject Key Identifier (not critical):
                        xxxx
                Authority Key Identifier (not critical):
                        xxxx
---
...it doesn't appear to be identified as a "server" certificate. [At least in 
pfsense.]
But looking at the certificate info between some EasyRSA certs and the CertTool 
ones, they both have the same extended attributes for Client vs Server.

---
Here's an EasyRSA one...

        Extensions:
                Basic Constraints (not critical):
                        Certificate Authority (CA): FALSE
                Subject Key Identifier (not critical):
                        xxxx
                Authority Key Identifier (not critical):
                        xxxx
                Key Purpose (not critical):
                        TLS WWW Server.
                Key Usage (not critical):
                        Digital signature.
                        Key encipherment.

---
Here - they appear to be very similar, both having the "Key Purpose" of "TLS 
WWW Server" - so I'm puzzled.

So, if the "TLS WWW Server" attribute isn't the proper one, which is?
[Better yet, does anyone have a certtool example? Or a template file (which is 
how I generate them) that produces the proper cert?]

TIA
-Greg

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users