On Wed, Apr 20, 2016 at 12:02:22PM -0400, Simon Deziel wrote: > On 2016-04-20 11:53 AM, Jan Just Keijser wrote: >> On 19/04/16 16:12, Lionel Elie Mamane wrote: >>> On Tue, Apr 19, 2016 at 06:46:27AM -0400, Colin Ryan wrote: >>>> On 2016-04-19 1:41 AM, Lionel Elie Mamane wrote:
> >>>> I run my own private CA with a structure like: > >>>> > >>>> rootCA ---- vpnSubCA > >>>> | |-------- vpnCertificate1 > >>>> | |-------- vpnCertificate2 > >>>> | |-------- vpnCertificate3 > >>>> | > >>>> |---- otherCertificate1 > >>>> |---- otherCertificate2 > >>>> |---- otherCertificate3 > >>>> |---- otherCertificate4 > >>>> > >>>> > >>>> I need OpenVPN to accept (for verify-x509-name and ccid-exclusive) > >>>> only certificates signed by vpnSubCA, *not* any certificate signed > >>>> directly by "root CA" nor by any other sub-CA of rootCA. >> the "proper" way to do this is to use >> - do a full CA+sub CA check on the server side (i.e. stack ca.crt + >> subca.crt into a single file and use it as "ca ..." ) >> - add a "tls-verify" script to ensure that the certificate chain always >> ends with the subCA signed by the CA. The "tls-verify" script is called >> for each certificate in the stack, e.g. > I never tried it but assumed the "extra-cert" was somehow for those > special cases. Maybe I'm just not reading the man page properly > though. I tried to do that, but it seems that is not what it does. I think that "just" sends that CA certificate with the local certificate to the peer. So that the peer can use it as intermediate certificate to match against a root CA it trusts. -- Lionel ------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
