Hi, > think I am getting closer with the "one step" process with an > intermediary cert. I am able to start up the server with both the new CA > signed server cert and the intermediary as outlined in "Step 3" above. > However, its like the server is not sending two server certs to the > connecting client and the stacked crt is not working. In my openvpn config > if I have something like > > ca keys/new/ca2.crt > cert keys/new/ronly.pem > key keys/new/r-only.key > Where ca2.crt contains both the root certificates (old and new) and > ronly.pem contains both the new OpenVPN server cert and the intermediary CA > crt signed by the old CA, it only works for one client or the other based > on where I have the certificate in the .pem file. So if I put the new cert > first in the list, new clients can connect. > This is the correct order -- the server certificate first, followed by the cross-signed certificate. OpenVPN parses the first one as the server certificate and uses trailing ones, if any, for building the chain.
> If I put the intermediary first in the file, old clients can connect, but > not the new ones. > With that order the key won't match the certificate and the server should not even start. Looks like your cross-signed certificate has the server's public key -- it should have the new CA's public key signed by the old CA. What error do you get on old clients with the correct order? > Is there an extra step I need to do or am I misunderstanding where the > intermediary cert needs to go or what needs to be signed ? > You can check by verifying the new server certificate against old CA using openssl CLI like this: $ openssl verify -show_chain -CAfile old-ca.crt -untrusted cross-signed-cert.crt new-server-cert.crt It should show the cross-signed certificate at depth 1 linking the new server certificate to the old CA at depth 2. Direct verification using new CA would be $ openssl verify -show_chain -CAfile new-ca.crt new-server-cert.crt Selva >
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
