I'm using openvpn for several years now, with certificates that are
issued by a private Windows based CA.
My clients are provided with an encrypted PKCS#12 container, which
- CA certificate
- user certificate
- private key
The PKCS#12 container is created manually using openssl and the
openssl pkcs12 -export -in CLIENT_CERT.pem -inkey CLIENT_KEY.pem -certfile CA_CERT.pem -out CLIENT_PKCS12.pfx
This worked perfectly for quite a few years.
As our current CA certificate is running out of date, we replaced the
Windows CA, due to changed requirements. It is now based on Windows
Server 2008 R2, working as an Enterprise CA within an Active Directory
Certificate issuing and PKCS#12 creation did not change. However the new
PKCS#12 give the following error message when I try to connect:
Wed Dec 8 10:31:18 2010 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: $CA_NAME
My first thought was, that the CA cert is not marked as such with the
openssl pkcs12 -in client_cert.pfx -cacerts
returns the correct certificate.
I then tested dissambling the PKCS#12 into priv-key/user-cert/ca-cert
and changed client configuration to use this 3 files, with the following
openssl pkcs12 -in cert.pfx -nocerts -nodes -out key.pem
openssl pkcs12 -in cert.pfx -clcerts -nokeys -out client.pem
openssl pkcs12 -in cert.pfx -cacerts -nokeys -out ca01.pem
Certificate verification of the server cert then works as intended.
Does anyone know what is wrong with the PKCS#12 container?
Why does OpenVPN do not find the CA certificate, while it is found by