Re: [Openvpn-users] Server vs Client cert generation

Wed, 30 Aug 2017 07:16:19 -0700 

Hi,

On 29/08/17 22:06, Gregory Sloop wrote:

Re: [Openvpn-users] Server vs Client cert generation So a few observations and 
possible clues/issues:
I should probably do another test, though I'm worn out from all the hassle of the last go-round. [But I think I kept all the "test" certs I used, so testing should be easier...] 

But I think your cert shows:

      X509v3 extensions:
           X509v3 Basic Constraints: critical
               CA:FALSE
           X509v3 Extended Key Usage:
               TLS Web Server Authentication
           X509v3 Key Usage: critical
               Digital Signature, Key Encipherment

and while I don't have the > text from openssl, I do have it from certtool, and 
it shows:

*Key Purpose (not critical):
       TLS WWW Server.

*[Critical vs not critical]
I don't know what difference that makes in the cert/key - but that's the only difference I see. [And, IIRC, that cert/key that's "TLS WWW Server" but non critical *fails* when I try to use the OpenVPN directive "remote-cert-tls server." But the EasyRSA generated one, like yours works fine.]
I haven't been able to determine how to make the extension/constraints "critical" in CertTool, so I can't test if that's the problem/issue. 

Any insight you can shed here would be fab. [Or anyone else, for that matter.]

my cert shows the exact same output as yours:

    Extensions:
        Basic Constraints (critical):
            Certificate Authority (CA): FALSE
        Key Purpose (not critical):
            TLS WWW Server.
        Key Usage (critical):
            Digital signature.
            Key encipherment.
        Subject Key Identifier (not critical):
            40f4ad5fa5a1b1f01642a4420c623b496af85e4a
        Authority Key Identifier (not critical):
            28142f46f3db31a807404e0d5c9af3490f6caab9
as the "Key Purpose" is not critical; I've just tested this certificate on a server, connected a client to it with 'remote-cert-tls server' enabled and it works just fine. 
BTW: This was using OpenVPN 2.4.3 on the server, 2.4.0 on the client.
What happens if you use your cert and connect a client with "verb 5" set? you should see log messages similar to VERIFY KU OK and VERIFY EKU OK. 

HTH,

JJK



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to