On Thu, 17 Mar 2016, Steve L wrote:
For anyone else with further clarification:
Server Side:
- ca.crt = The latest LotW Root CA cert
certs\root*, you need to break them apart an select the latest one
Actually, to support clients with certificates which have been signed by one of the older certs, you should supply all of those LotW certificates in ca.crt. Yes, you can have them all in there, concatenated, OpenVPN will support that.
- server.crt* = Your personal LotW cert concatenated with the
intermediate that signed it.
I don't think that will work. Your personal LotW cert does not contain "key usage" parameters that would allow it to be used as a server certificate, so the openvpn client probably will reject it. (If it doesn't, it is misconfigured.)
You should set up a private CA and have it issue a server certificate to be used for the server cert, and the client should use that private CA's certificate as the "ca cert".
certs\user* + certs\authorities*
- server.key = The private key associated with your personal cert
keys\YOURCALL*
*References are to the Windows TQSL program: C:\Documents and Settings\your-username\Application Data\TrustedQSL\ _________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
- Hessu