Hi Selva,
Thank you for looking!
My guess is that something in the certificate or private key is not to
OpenSSL 3.1's liking and it rejects it. Is there any way for you to
check the
contents of the token independently using a tool linked against
OpenSSL 3.1 ?
What am I looking for in that case ? Taking a look at the cert just
with openssl 3.0 on FreeBSD releng14 it seems ok with it. Same with the
Windows version 3.1.x that comes with OpenVPN. Is it possible it doesnt
like the sha1RSA sig ?
# openssl version
OpenSSL 3.0.10 1 Aug 2023 (Library: OpenSSL 3.0.10 1 Aug 2023)
#
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 7109 (0x1bc5)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C = CA, ST = ON, L = Cambridge, O = Sentex CA, CN =
Sentex private1test CA CA, emailAddress = m...@sentex.ca
Validity
Not Before: Sep 27 19:43:01 2023 GMT
Not After : Nov 13 19:43:01 2033 GMT
Subject: C = CA, ST = ON, L = Cambridge, O = Sentex CA, OU =
win10, CN = test123456mdt, emailAddress = m...@sentex.ca
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:f5:e0:27:b5:28:0a:f8:a9:ce:13:33:a2:ca:27:
...
ac:a8:b6:55:bb:a3:a4:43:e5:74:05:aa:c8:69:3d:
ed:ef
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
74:72:3A:87:0D:34:7B:1E:11:C6:18:D2:41:99:C6:5E:D1:8A:81:95
X509v3 Authority Key Identifier:
keyid:4F:A0:B0:94:92:6F:24:A7:D4:C6:93:A6:AA:25:63:6C:ED:1E:E3:8C
DirName:/C=CA/ST=ON/L=Cambridge/O=Sentex Parklands
CA/CN=Sentex Parklands CA CA/emailAddress=ppsupp...@sentex.ca
serial:F5:3E:37:76:69:AC:EF:EC
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: sha1WithRSAEncryption
Signature Value:
10:72:36:db:5c:f3:f5:fb:52:82:c7:4c:72:8f:31:ae:
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
