10

I'm setting up server-to-server OpenVPN with a PKI infrastructure, and cannot make it work. I suspect it's something in the certificate chain, but I'm at a loss to explain how. I have an offline Root CA, and a certificate hierarchy. The CA's are managed externally by a product called EJBCA. Pictorially the chain looks like this (with names changed):

RootCA -> OnlineSubCA -> SubCA1 -> VPNCA

I signed a server and client cert with the CA VPNCA, and have the certificate chain on those systems. While debugging OpenVPN I tried using "openssl s_server" and s_client", leading me to believe it's the CA chain. Specifically on the server:

openssl s_server -cert server.cert -key server.key -CAfile chained.pem -verify 5

and on the client

openssl s_client -cert client.cert -key client.key -CAfile chained.pem -verify 5

the server spits back, among other things:

depth=3 C = CA, O = My Company, CN = OnlineSubCA
verify error:num=24:invalid CA certificate
verify return:1
depth=3 C = CA, O = My Company, CN = OnlineSubCA
verify error:num=26:unsupported certificate purpose
verify return:1
depth=4 C = CA, O = My Company, CN = RootCA, emailAddress = certs@mycompany.com
verify return:1
depth=3 C = CA, O = My Company, CN = OnlineSubCA
verify return:1
depth=2 CN = SubCA1, O = My Company, C = CA
verify return:1
depth=1 CN = VPNCA
verify return:1
depth=0 C = CA, ST = , L = , O = My Company, OU = , CN = client1.mycompany.com, emailAddress = pki@mycompany.com
verify return:1

and i'm at a complete loss to explain how or why this is the case. OpenVPN also fails with a similar error, from the client:

VERIFY ERROR: depth=3, error=invalid CA certificate: /C=CA/O=My_Company/CN=OnlineSubCA

I'm running OpenVPN 2.2.1 and OpenSSL 1.0.1 on Ubuntu 12.04. Time is in sync on both.

I'm at a loss on how to proceed any further. Any ideas/suggestions would be greatly appreciated.

Michael Hart
  • 113
  • 1
  • 1
  • 8

1 Answers1

20

This is a problem with the X509v3 extensions. Modern certificates are signed in a way that indicates the approved uses for that type of certificate. These can be displayed by piping the cert into openssl x509 -text, or specifying the file path with -in.

In your case, these error messages are indicating that the cert you're specifying is not a CA cert. (the biggest hint is "unsupported certificate purpose") Using the above command, display the text info of the certificate. A valid CA cert will read like so:

        X509v3 Basic Constraints:
            CA:TRUE

A non-CA cert will display this instead:

        X509v3 Basic Constraints:
            CA:FALSE

You may have gotten your files jumbled up, it's a rather easy thing to do when moving the files around. openssl x509 will shine a magnifying glass on what the contents of the actual certs are.

reschandreas
  • 13
  • 4
Andrew B
  • 32,588
  • 12
  • 93
  • 131
  • That is indeed the problem, inspecting the 2nd cert show the "CA:FALSE". It appears to be setup that way in EJBCA which is a mistake, I may have to recreate it. Thank you Andrew! – Michael Hart Mar 12 '13 at 13:18
  • Glad it helped. :) – Andrew B Mar 12 '13 at 14:05
  • 8
    Additionally, you will get 26/unspupported certificate purpose if you have "critical" as a basic constraint but your cert is not signed/trusted by one of the legit authorities (ran into this trying use a self signed a root CA) – Zerkz Jun 23 '15 at 14:19