On 09-08-17 19:34, Gregory Sloop wrote:
> I also often need to generate certs for other things and GNU TLS's
> CertTool works pretty well.
> I'd like to use one tool to generate all the certificates I generally
> need - it's just easier to keep track of, document etc.
> However when I go to generate certs for OpenVPN usage with certtool, it
> appears I have a problem with the "server" attribute.
> While I have the following in the certs...
> ---
>        Extensions:
>                Basic Constraints (critical):
>                        Certificate Authority (CA): FALSE
>                Subject Alternative Name (not critical):
>                        DNSname: abc-ovpn-server-01
>                Key Purpose (not critical):
>                        TLS WWW Server.
>                Key Usage (critical):
>                        Key encipherment.
>                Subject Key Identifier (not critical):
>                        xxxx
>                Authority Key Identifier (not critical):
>                        xxxx
> ---
> ...it doesn't appear to be identified as a "server" certificate. [At
> least in pfsense.]

I have no clue about how to use certtool, but I'll give this a shot.

Do you know what certtool means with "Key purpose"?  Is that it's own
invented name for extendedKeyUsage ?

Also, what are you using to check that this is a "server" certificate?
--remote-cert-tls? or --ns-cert-type?  or something homegrown?

In any case, this certificate seems to miss the digitalSignature
keyUsage, which is required if you want to use TLS cipher suites with
forward secrecy (DH/ECDH).  Modern OpenVPN by default only support
cipher suites by forward secrecy.  So although this has nothing to do
with "server" attributes, it is likely to cause the connection to fail.

As always, post logs and configs if you want better answers.


Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Openvpn-users mailing list

Reply via email to