3

I have created a CA and an intermediate CA using easy-rsa 2.0. On the Openvpn server I use the intermediate certificate export_ca (as per the easy-rsa spec). When I revoke a certificate on my intermediate CA and copy the new crl.pem file to the openvpn server I get this message :

CRL: CRL /etc/openvpn/crl.pem is from a different issuer than the issuer of certificate

I have read through all the openvpn doco but nothing talks about revoking a cert/user with an intermediate CA. Functionally the CRL works - ie the revoked cert/user isn't able to connect.

I am pretty sure that openvpn is complaining cuz it doesn't have the entire CA chain but am not entirely sure - can anyone explain why I get this?

Hilton D
  • 279
  • 5
  • 15

1 Answers1

1

looks like you've found a (minor) bug in openvpn. You should have the full (public) CA chain on the server by stacking the CA and subCA certs together. When a client connects the verify process goes through the entire chain and it tries to find a matching CRL. As there is no CRL for the intermediate CA itself this message is printed, which is bogus.

What you should see as well is

CRL CHECK FAILED: [DN] is REVOKED

As long as you see that the cert issued by the intermediate CA is properly revoked.

HTH,

JJK

janjust
  • 592
  • 2
  • 5
  • 1
    Ok, can I stack them together by concatenating the files together? Should I report this to the Openvpn team? – Hilton D Oct 21 '10 at 12:35
  • 1
    Yes you can stack CRLs just like CA files. And yes, this should be reported to the OpenVPN team as a (minor) issue : your setup should be working but the warning is spurious and misleading. – janjust Oct 25 '10 at 10:21