Hi, I think the easy-rsa/openssl.cnf file should be modified so thet client CERTs would match current openVPN expectations. Please see my bug report at http://bugs.gentoo.org/show_bug.cgi?id=320171 . For convenience, I am attaching the patch here. Did I get it right what has to be done? Would someone fix the HOWTO and FAQ documentation to describe the keyUsage fields and what is actually required for what? There is too many hit in google for "unsupported certificate purpose". ;)
Regards Martin
--- /usr/share/openvpn/easy-rsa/openssl.cnf 2010-05-17 14:51:02.000000000 +0200 +++ openssl.cnf 2010-05-17 14:36:05.000000000 +0200 @@ -173,7 +173,7 @@ # the certificate can be used for anything *except* object signing. # This is OK for an SSL server. -# nsCertType = server +# nsCertType = client, server, email # For an object signing certificate this would be used. # nsCertType = objsign @@ -182,7 +182,7 @@ # nsCertType = client, email # and for everything including object signing: -# nsCertType = client, email, objsign +# nsCertType = server, client, email, objsign # This is typical in keyUsage for a client certificate. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment @@ -193,8 +193,9 @@ # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always -extendedKeyUsage=clientAuth -keyUsage = digitalSignature +extendedKeyUsage=clientAuth,serverAuth +#extendedKeyUsage=clientAuth,serverAuth,ipsecUser,ipsecTunnel,ipsecEndSystem +keyUsage = digitalSignature, keyEncipherment # This stuff is for subjectAltName and issuerAltname. # Import the email address.
