0

I need to setup a new OpenVPN channel but I already have a Windows CA, so I need to sign both server and client certs with this CA.

I created a new server and client sign request:

openssl req -newkey rsa:2048 -keyout client.key -nodes -out client.req -subj "/CN=x/O=x/C=x/ST=x/L=x"

I signed them with Microsoft Active Directory Certificate Services using "Web Server" template.

Now OpenVPN give me this error:

Feb 5 16:30:42  openvpn     28624   x.x.x.x:28681 TLS Error: TLS handshake failed
Feb 5 16:30:42  openvpn     28624   x.x.x.x:28681 TLS Error: TLS object -> incoming plaintext read error
Feb 5 16:30:42  openvpn     28624   x.x.x.x:28681 TLS_ERROR: BIO read tls_read_plaintext error
Feb 5 16:30:42  openvpn     28624   x.x.x.x:28681 OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Feb 5 16:30:42  openvpn     28624   x.x.x.x:28681 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=IT, ST=x, L=x, O=x, CN=x

Seems that the client certificate is not good, maybe because of the cert template chosen. Which I should have chosen from Windows CA? I need to maintain the CN in the request.

Tobia
  • 1,272
  • 9
  • 41
  • 81

0 Answers0