1

Simple OpenVPN Setup with SSL Authentication.

SSL-Setup: Root-CA > Intermediate-CA > Issuing-CA

All certificates (vpn-server and -clients) are issued by the "Issuing-CA".

I tried to use the certificate of the Issuing-CA as OpenVPN ca ca.pem parameter in the openvpn (server- and client-) config.

This did not work.

I had to add the complete certificate chain to the ca.pem. Then it worked.

I thought the ca parameter specifies trusted CAs. I do not want to include the whole certificate chain since I do not see the necessity for this! Contrary - this seems dangerous to me - since the Root-CA and the Intermediate CA can issue certificates for CNs that are used in the VPN! I would classify this as a security risk.

Is there a way to set a trust anchor to a non-root-CA?

Michuelnik
  • 3,410
  • 3
  • 19
  • 24
  • How did it "not work"? Please include client and server logs indicating any errors. – mgorven Jul 19 '12 at 06:50
  • This is not the question. I found the problem and searching the internet (missed telling that, though...) indicates, that OpenVPN does certificate verification up to the root and does not view the ca parameter as trusted CA. Even if I might have made a mistake - my question is in the last sentence and needs no debugging of my verbose explanation. – Michuelnik Jul 19 '12 at 07:12
  • Public keys are public and can be distributed freely. This is by design. – Michael Hampton Jul 19 '12 at 07:15
  • @Michael Hampton: Yes. But that does not cover all constraints given. And it's really no answer to my security concern mentioned. – Michuelnik Jul 19 '12 at 07:18
  • It is an answer. The certificates (and the public keys they contain) are public by their nature. It's their private keys that are private; without those you can't sign anything. I can go into any web browser and retrieve the trusted root certificates from all of the major CAs. – SmallClanger Jul 19 '12 at 07:56
  • What do I have to clarify here? I do not talk about private keys here. But if I add the root-CA and intermediate-CA /public/-keys to my ca.pem - all certificates issued by them (with appropriate CNs) will also be accepted! – Michuelnik Jul 19 '12 at 07:58
  • 2
    I think you're encountering a design decision by the OpenVPN team: you are meant to make a PKI for a given VPN. This might be something to bring up in the OpenVPN forums. I, for one, would be interested to know what you find. – cjc Jul 19 '12 at 10:55

0 Answers0