On 10/3/2023 6:15 PM, Selva Nair wrote:
With that order the key won't match the certificate and the server
should not even start. Looks like your cross-signed certificate has
the server's public key -- it should have the new CA's public key
signed by the old CA. What error do you get on old clients with the
correct order?
Hi Selva,
Thank you very much for your help on this. OK, now creating a req
using the newca.key and signing that with the old-ca.key. But I dont
think I am doing the signing or the req correctly. (steps below)
Is there an extra step I need to do or am I misunderstanding where
the intermediary cert needs to go or what needs to be signed ?
You can check by verifying the new server certificate against old CA
using openssl CLI like this:
$ openssl verify -show_chain -CAfile old-ca.crt -untrusted
cross-signed-cert.crt new-server-cert.crt
this fails with just the old-ca.crt
% openssl verify -show_chain -CAfile old-ca.crt -untrusted int.crt
sentex-remote-only.crt
CN = sentex-remote-only
error 20 at 0 depth lookup: unable to get local issuer certificate
error sentex-remote-only.crt: verification failed
But works with the new ca or ca bundle of old and new
% openssl verify -show_chain -CAfile newca.crt -untrusted int.crt
sentex-remote-only.crt
sentex-remote-only.crt: OK
Chain:
depth=0: CN = sentex-remote-only (untrusted)
depth=1: CN = Sentex-remote-only CA
It should show the cross-signed certificate at depth 1 linking the new
server certificate to the old CA at depth 2.
Direct verification using new CA would be
$ openssl verify -show_chain -CAfile new-ca.crt new-server-cert.crt
this seems ok too
% openssl verify -show_chain -CAfile newca.crt sentex-remote-only.crt
sentex-remote-only.crt: OK
Chain:
depth=0: CN = sentex-remote-only (untrusted)
depth=1: CN = Sentex-remote-only CA
The config I have is
ca keys/new/ca2.crt
cert keys/new/sentex-remote-only-with-int.crt
key keys/new/sentex-remote-only.key
dh keys/dh2048.pem
Where sentex-remote-only-with-int.crt consisting of the original cert
from easyrsa build-server-full with the contents of the int.crt, which
was the result of me doing
a req on the new server and a sign on the old
new pki openssl req -new -key ca.key -out ca-top-as-intermediary.csr
old pki openssl ca -config ../openssl-filled.cnf -days 3000 -notext -md
sha1 -in ca-top-as-intermediary.csr -out ca-top-as-intermediary.crt
It is the file ca-top-as-intermediary.crt, that I add to the bottom of
sentex-remote-only-with-int.crt
The old client when connecting to the new server errors out with
WR2023-10-04 16:35:39 us=628210 TLS: Initial packet from
[AF_INET]192.168.1.240.37:1194, sid=3dfa8ff9 fee92d10
WWRWRWR2023-10-04 16:35:39 us=637602 VERIFY ERROR: depth=0, error=unable
to get local issuer certificate: CN=sentex-remote-only,
serial=280627447715071598736699649985448938624
2023-10-04 16:35:39 us=643601 OpenSSL: error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed
---Mike
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
