Folks,
Stock configurations with EasyRSA created cert chain. i.e ca.crt,
server.crt and client.crt
CA and downward is soon expiring.
I'm created an entirely new chain. Then combined the ca.crt PEM outputs
into a common file
i.e
----BEGIN CERTIFICATE----
----END CERTIFICATE----
----BEGIN CERTIFICATE----
----END CERTIFICATE----
My understanding was that so long as the first chain had not yet expired
I could do this, then start upgrading my clients files with their new
client.key/client.crt and old and new would work against this. Then when
all clients were updated I could remove reference to the original CA on
the server side.
The combined CA.crt file successfully validates both old and new
server.crt files via
openssl verify -CAfile combined-ca.crt oldserver.crt and
openssl verify -CAfile combined-ca.crt newserver.crt
But whenever I try to start Openvpn I get the following:
Cannot load CA certificate file combined-ca.crt (entry 2 did not validate)
Cannot load CA certificate file combined-ca.crt (only 1 of 2 entries were valid
X509 names)
Exiting due to fatal error
I even regen'ed them again so that the issuer and subject paths were
different.
All the basic check pass. Both old and new certs have correct Basic
Contraints of CA:TRUE, the signature algo's are correct and the same.
All openssl based checks work, it seems to be a validation challenge
within OpenVPN.
I even tried doing c_rehash against the certs in their directory and
tried use the "capath" directive instead of "ca". That seemed to let
process start but client the failed validation.
Thoughts?
Sincerely
Colin
_______________________________________________
Openvpn-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-users
