Re: [Openvpn-users] Server vs Client cert generation

Wed, 30 Aug 2017 08:36:26 -0700 


Hi,

On 29/08/17 22:06, Gregory Sloop wrote:
Re: [Openvpn-users] Server vs Client cert generation So a few observations and 
possible clues/issues:

I should probably do another test, though I'm worn out from all the hassle of 
the last go-round. [But I think I kept all the "test" certs I used, so testing 
should be easier...]

But I think your cert shows:

      X509v3 extensions:
           X509v3 Basic Constraints: critical
               CA:FALSE
           X509v3 Extended Key Usage: 
               TLS Web Server Authentication
           X509v3 Key Usage: critical
               Digital Signature, Key Encipherment

and while I don't have the > text from openssl, I do have it from certtool, and 
it shows:

Key Purpose (not critical):
       TLS WWW Server.

[Critical vs not critical]

I don't know what difference that makes in the cert/key - but that's the only 
difference I see. [And, IIRC, that cert/key that's "TLS WWW Server" but non 
critical *fails* when I try to use the OpenVPN directive "remote-cert-tls 
server." But the EasyRSA generated one, like yours works fine.]

I haven't been able to determine how to make the extension/constraints 
"critical" in CertTool, so I can't test if that's the problem/issue.

Any insight you can shed here would be fab. [Or anyone else, for that matter.]
my cert shows the exact same output as yours:

    Extensions:
        Basic Constraints (critical):
            Certificate Authority (CA): FALSE
        Key Purpose (not critical):
            TLS WWW Server.
        Key Usage (critical):
            Digital signature.
            Key encipherment.
        Subject Key Identifier (not critical):
            40f4ad5fa5a1b1f01642a4420c623b496af85e4a
        Authority Key Identifier (not critical):
            28142f46f3db31a807404e0d5c9af3490f6caab9

as the "Key Purpose" is not critical; I've just tested this certificate on a 
server, connected a client to it with 'remote-cert-tls server' enabled and it 
works just fine.
BTW: This was using OpenVPN 2.4.3 on the server, 2.4.0 on the client.
What happens if you use your cert and connect a client with "verb 5" set?  you 
should see log messages similar to VERIFY KU OK and VERIFY EKU OK.

HTH,

JJK



Thanks for the follow-up. 
Let me do some testing, and I'll get back to you. [I hope I kept all the old 
certs...so I don't have to generate those again.]
It might be a few days - but I'll try to clear time to do it.

-Greg


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to