I'm fairly certain you need the full cert path, including root and any intermediate certs.
To not require this would question the whole point of the cert's. I don't, to be frank, understand why you want to not have the rootCA included. The server - correct me if I'm wrong - would only need the private key of the subCA and the vpnCert's so it not that you need to have your CA. private key in a place you wouldn't want it. C On 2016-04-19 1:41 AM, Lionel Elie Mamane wrote: > Hi, > > I run my own private CA with a structure like: > > rootCA ---- vpnSubCA > | |-------- vpnCertificate1 > | |-------- vpnCertificate2 > | |-------- vpnCertificate3 > | > |---- otherCertificate1 > |---- otherCertificate2 > |---- otherCertificate3 > |---- otherCertificate4 > > > I need OpenVPN to accept (for verify-x509-name and ccid-exclusive) > only certificates signed by vpnSubCA, *not* any certificate signed > directly by "root CA" nor by any other sub-CA of rootCA. > > > But when I try to do that, I get on the client side an error like: > > VERIFY ERROR: depth=1, error=unable to get local issuer certificate: > SUBJECT_OF_vpnSubCA > > Here's how I try to do that: > On the client *and* the server, I put in the configuration file > ca /etc/ssl/certs/vpnSubCA.pem > > > I successfully got OpenVPN to work with: > > * On the client > ca /etc/ssl/certs/rootCA.pem > > * On the server > ca file_with_rootCA_and_vpnSubCA_concatenated > > But that does not do what I want. > > I'm using OpenVPN 2.3.4 (Debian package). > > Thanks in advance for any help, > ------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
