[Openca-Users] VPN extensions template incorrect?

Buchan Milne Tue, 14 Mar 2006 09:32:58 -0800

I finally got my OpenCA installation working satisfactorily (maybe I'll cover 
some minor issues later), and the first thing I wanted to do was to generate 
certs for our OpenVPN server and clients.


However, in my installation, the VPN server template 
(./openssl/extfiles/VPN_Server.ext) had:
nsCertType = server
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

However, according to the OpenVPN docs (http://openvpn.net/howto.html#mitm) - 
which I consulted after getting a message such as "invalid purpose" from 
OpenVPN - I need:

nsCertType = server
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = serverAuth


For client certs, "User" role is ok.


Regards,
Buchan

-- 
Buchan Milne
ISP Systems Specialist
B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)

pgpZlWW92wioM.pgp
Description: PGP signature

[Openca-Users] VPN extensions template incorrect?

Reply via email to