Jun 172021
 

I use OpenVPN since at least 2008 – now going on 13 years. I find it to be reliable and stable.

A few days ago, I added another client to a VPN. I run this particular network with self-signed certificates which I create using ssl-admin – I find it particularly useful for this purpose.

The problem

Away I went, creating a new certicate, bundled it up, and copied over to the client. Fired up OpenVPN, and checked the logs. This is similar to what I found:

10.136.250.127:13345 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=**, ST=**, O=[redacted], CN=r720-02.example.org, emailAddress=dan@example.org, serial=123

Eh? What’s that you say?

Then I remembered thinking when creating the cert: which option do I use? 4 or S?

[dan@mydev:~] $ sudo ssl-admin
This program will walk you through requesting, signing,
organizing and revoking SSL certificates.

ssl-admin installed Wed Jan 2 20:46:56 UTC 2013


=====================================================
#               SSL-ADMIN v1.2.1                    #
=====================================================
Please enter the menu option from the following list:
1) Update run-time options:
     Key Duration (days): 3650
     Current Serial #: 6A
     Key Size (bits): 4096
     Intermediate CA Signing: NO
2) Create new Certificate Request
3) Sign a Certificate Request
4) Perform a one-step request/sign
5) Revoke a Certificate
6) Renew/Re-sign a past Certificate Request
7) View current Certificate Revokation List
8) View index information for certificate.
i) Generate a user config with in-line certifcates and keys.
z) Zip files for end user.
dh) Generate Diffie Hellman parameters.
CA) Create new Self-Signed CA certificate.
S) Create new Signed Server certificate.
q) Quit ssl-admin

Menu Item: 

I chose S.

I choose poorly.

I should have chosen 4.

This time I did, redeployed the cert, restarted OpenVPN, and it connected to the VPN immediately.

So what’s the difference?

Now that I have updated my documentation to mention this fine point, I wondered: What’s the difference in the two certs?

Here you go. The server cert contained X509v3 extensions.

Here is the original certificate I created, via option S:

[root@r720-02:/usr/local/etc/openvpn/keys] # openssl x509 -text -in client.crt  
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 104 (0x68)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: [redacted]
        Validity
            Not Before: [redacted]
            Not After : [redacted]
        Subject: [redacted]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    [redacted]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Server
            Netscape Comment: 
                ssl-admin (OpenSSL) Generated Server Certificate
            X509v3 Subject Key Identifier: 
                [redacted]
            X509v3 Authority Key Identifier: 
                keyid:[redacted]
                DirName:[redacted]
                serial:[redacted]

            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
    Signature Algorithm: sha256WithRSAEncryption
         [redacted]
-----BEGIN CERTIFICATE-----
         [redacted]
-----END CERTIFICATE-----

Where is the client cert, created via option 4:

[root@r720-02:/usr/local/etc/openvpn/keys] # openssl x509 -text -in ~dan/client.crt  
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 105 (0x69)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: [redacted]
        Validity
            Not Before: [redacted]
            Not After : [redacted]
        Subject: [redacted]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    [redacted]
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         [redacted]
-----BEGIN CERTIFICATE-----
         [redacted]
-----END CERTIFICATE-----

So very simple. I don’t remember all this stuff.

Website Pin Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google StumbleUpon Premium Responsive