Generate server/client certificates for openvpn with Windows CA

Question

I need to setup a new OpenVPN channel but I already have a Windows CA, so I need to sign both server and client certs with this CA.

I created a new server and client sign request:

openssl req -newkey rsa:2048 -keyout client.key -nodes -out client.req -subj "/CN=x/O=x/C=x/ST=x/L=x"

I signed them with Microsoft Active Directory Certificate Services using "Web Server" template.

Now OpenVPN give me this error:

Feb 5 16:30:42  openvpn     28624   x.x.x.x:28681 TLS Error: TLS handshake failed
Feb 5 16:30:42  openvpn     28624   x.x.x.x:28681 TLS Error: TLS object -> incoming plaintext read error
Feb 5 16:30:42  openvpn     28624   x.x.x.x:28681 TLS_ERROR: BIO read tls_read_plaintext error
Feb 5 16:30:42  openvpn     28624   x.x.x.x:28681 OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Feb 5 16:30:42  openvpn     28624   x.x.x.x:28681 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=IT, ST=x, L=x, O=x, CN=x

Seems that the client certificate is not good, maybe because of the cert template chosen. Which I should have chosen from Windows CA? I need to maintain the CN in the request.

Google-fu result http://web.archive.org/web/20110317180448/http://www.felines.org/OpenVPN-Windows_CA-Instructions.htm — Jacob Evans, Feb 05 '18 at 22:13

Generate server/client certificates for openvpn with Windows CA

0 Answers0