openvpn client certificate error with "unsupported purpose"

Question

I was following this wiki instruction to generate OpenVPN client certificate. This involves:

easyrsa gen-req client1 nopass

I tried to use this client1 certificate in my OpenVPN setup. The server log show the following logs (note: the IP address changed from public IP to 192.168.0.2 for security reason):

192.168.0.2:5570 TLS: Initial packet from [AF_INET]192.168.0.2:5570, sid=1e71335b cc13ec8f
192.168.0.2:5570 VERIFY ERROR: depth=0, error=unsupported certificate purpose: CN=client1
192.168.0.2:5570 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
192.168.0.2:5570 TLS_ERROR: BIO read tls_read_plaintext error
192.168.0.2:5570 TLS Error: TLS object -> incoming plaintext read error
192.168.0.2:5570 TLS Error: TLS handshake failed
192.168.0.2:5570 SIGUSR1[soft,tls-error] received, client-instance restarting

So the clear error should be this:

VERIFY ERROR: depth=0, error=unsupported certificate purpose: CN=client1

I checked the certificate with this command:

openssl x509 -in client1.crt -text -noout -purpose

And the Certificate purposes section output looks like this:

Certificate purposes:
SSL client : No
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No

My Questions:

What is wrong with my client certificate?
What should I do to generate the correct certificate?

`easyrsa gen-req client1 nopass` only creates the certificate request and key (csr and key). You _did_ sign the certificates with _your_ CA, yes? — Lenniey, Apr 03 '18 at 06:57
It seems you set `nsCertType=server` for your client certificate. `SSL client : No SSL client CA : No SSL server : Yes SSL server CA : No`. Did you change anything from default in easy-rsa? And what version do you use? — Lenniey, Apr 03 '18 at 08:03
I a only using the default easy-rsa configs in the `/usr/share/easy-rsa` folder. — Koala Yeung, Apr 03 '18 at 13:21

Koala Yeung · Answer 1 · 2018-04-04T02:59:27.393

Turns out the default client configuration of easy-rsa (v3.0.3) is the source of problem. The default content of the file x509-types/client is:

# X509 extensions for a client

basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
extendedKeyUsage = clientAuth
keyUsage = digitalSignature

There is no nsCertType definition. To fix this, you'd need to change this file (in the easy-rsa copy you're using) and add this line:

nsCertType = client

Then the same client cert generation command works as a charm.

P.S. Thanks @lenniey for giving me the idea where to check. Thanks @andrew for the openssl command alternative.

score 1 · Answer 2 · answered Apr 03 '18 at 14:46

What is wrong with my client certificate?

The certificates that was generated is not configured with the SSL Client option, so something with the easy-rsa configuration is not correct.

What should I do to generate the correct certificate?

You can try to fix the easy-rsa tool, or you can use openssl directly. You will need access to the CA signer's key to do this with openssl.

openssl x509 -req -in <path to client csr> -CAkey <path to CA key> -CA <path to CA cert> -CAcreateserial -out client1.pem

This will create a certificate signed by the CA (required for authentication with OpenVPN) and should also provide usage for the SSL Client and SSL Server options.

score 1 · Accepted Answer · answered Apr 04 '18 at 11:39

The correct way to enable nsCertType is via the easyrsa vars file:

# Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default
# is "no" to discourage use of deprecated extensions. If you require this
# feature to use with --ns-cert-type, set this to "yes" here. This support
# should be replaced with the more modern --remote-cert-tls feature.  If you do
# not use --ns-cert-type in your configs, it is safe (and recommended) to leave
# this defined to "no".  When set to "yes", server-signed certs get the
# nsCertType=server attribute, and also get any NS_COMMENT defined below in the
# nsComment field.

#set_var EASYRSA_NS_SUPPORT "no"
 set_var EASYRSA_NS_SUPPORT "yes"

The resulting certificate has the following purpose:

    X509v3 Extended Key Usage: 
        TLS Web Client Authentication
    X509v3 Key Usage: 
        Digital Signature
    Netscape Comment: 
        Easy-RSA Generated Certificate
    Netscape Cert Type: 
        SSL Client

Thanks a lot! The package from my distro (Fedora 27) did not include the vars.example file thus I didn't know about it. — Koala Yeung, Apr 04 '18 at 14:07
Where is `set_var EASYRSA_NS_SUPPORT "yes"` expected to be? In the EasyRSA config on CA, or in the EasyRSA config on the OpenVPN server? — Nowaker, Sep 22 '20 at 04:17

openvpn client certificate error with "unsupported purpose"

3 Answers3