Re: [Openvpn-devel] Pushing multiple certificates from server

Sat, 05 Mar 2016 01:36:33 +0000 

Hi,

On 04/03/16 22:58, ValdikSS wrote:

I have good news and bad news:

Good news:

  * OpenVPN sends all certificates from the server supplied for
    --server directive (although with a small bug that a certificate
    which you have private key for must be supplied on the top)
  * OpenVPN Connect for Android can successfully connect to my server
    with a chain


Bad news:

  * OpenVPN 2.3 and master can't connect to this server, with both
    OpenSSL and PolarSSL backends. Maybe if I supply certificates in
    correct order, client would work.
how did you generate the cross-signed CA certs? I've looked around but all cross-signing either requires you to use the same private key (i.e. bit size) or that you extend the trust of one CA with that of another. The first is of no help as the key size needs to be different. The second (extending trust) does not work as you'd need to install this cross-trust CA at the client side. I found this interesting example on how to generate cross-signed certs here: 
https://chromium.googlesource.com/chromium/src/net/+/master/data/ssl


JJK


On 03/04/2016 12:04 AM, ValdikSS wrote:

Hello everyone,

I'm trying to leisurely move from an old existing 1024 bit CA to a new 4096 bit 
one without a hassle for a clients.
 From a X.509 perspective it shouldn't be a problem, and I already have new CA 
self-signed and cross-signed with old CA, it should work just fine.

While there's no problem authenticating clients from both old and new CA using 
single instance (multiple certificates in --ca are supported, this information 
is
documented), I need to send two certificates from OpenVPN server: server 
certificate, which is signed by new CA, and cross-signed new CA with old CA. 
This way
it should work for clients either with old or new CA in configuration files.

I can't manage server to send more than one certificate to the client. It seems 
that multiple certificates in --cert directive are supported only on client
side. Am I missing something, is there a way to push multiple certificates from 
server? If there isn't a way currently, are there any protocol limitations which
allows only one certificate to be sent?






------------------------------------------------------------------------------


_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to