See also SSL client vs server certificates and bacula-fd.
I use OpenVPN since at least 2008 – now going on 13 years. I find it to be reliable and stable.
A few days ago, I added another client to a VPN. I run this particular network with self-signed certificates which I create using ssl-admin – I find it particularly useful for this purpose.
The problem
Away I went, creating a new certicate, bundled it up, and copied over to the client. Fired up OpenVPN, and checked the logs. This is similar to what I found:
10.136.250.127:13345 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=**, ST=**, O=[redacted], CN=r720-02.example.org, emailAddress=dan@example.org, serial=123
Eh? What’s that you say?
Then I remembered thinking when creating the cert: which option do I use? 4 or S?
[dan@mydev:~] $ sudo ssl-admin
This program will walk you through requesting, signing,
organizing and revoking SSL certificates.
ssl-admin installed Wed Jan 2 20:46:56 UTC 2013
=====================================================
# SSL-ADMIN v1.2.1 #
=====================================================
Please enter the menu option from the following list:
1) Update run-time options:
Key Duration (days): 3650
Current Serial #: 6A
Key Size (bits): 4096
Intermediate CA Signing: NO
2) Create new Certificate Request
3) Sign a Certificate Request
4) Perform a one-step request/sign
5) Revoke a Certificate
6) Renew/Re-sign a past Certificate Request
7) View current Certificate Revokation List
8) View index information for certificate.
i) Generate a user config with in-line certifcates and keys.
z) Zip files for end user.
dh) Generate Diffie Hellman parameters.
CA) Create new Self-Signed CA certificate.
S) Create new Signed Server certificate.
q) Quit ssl-admin
Menu Item:
I chose S.
I choose poorly.
I should have chosen 4.
This time I did, redeployed the cert, restarted OpenVPN, and it connected to the VPN immediately.
So what’s the difference?
Now that I have updated my documentation to mention this fine point, I wondered: What’s the difference in the two certs?
Here you go. The server cert contained X509v3 extensions.
Here is the original certificate I created, via option S:
[root@r720-02:/usr/local/etc/openvpn/keys] # openssl x509 -text -in client.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 104 (0x68)
Signature Algorithm: sha256WithRSAEncryption
Issuer: [redacted]
Validity
Not Before: [redacted]
Not After : [redacted]
Subject: [redacted]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
[redacted]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
ssl-admin (OpenSSL) Generated Server Certificate
X509v3 Subject Key Identifier:
[redacted]
X509v3 Authority Key Identifier:
keyid:[redacted]
DirName:[redacted]
serial:[redacted]
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
Signature Algorithm: sha256WithRSAEncryption
[redacted]
-----BEGIN CERTIFICATE-----
[redacted]
-----END CERTIFICATE-----
Where is the client cert, created via option 4:
[root@r720-02:/usr/local/etc/openvpn/keys] # openssl x509 -text -in ~dan/client.crt
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 105 (0x69)
Signature Algorithm: sha256WithRSAEncryption
Issuer: [redacted]
Validity
Not Before: [redacted]
Not After : [redacted]
Subject: [redacted]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
[redacted]
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
[redacted]
-----BEGIN CERTIFICATE-----
[redacted]
-----END CERTIFICATE-----
So very simple. I don’t remember all this stuff.
