16 Mar
2016
16 Mar
'16
6:31 p.m.
On Tue, 15 Mar 2016, Cory (NQ1E) wrote:
However, OpenVPN doesn't natively support
specifying a cert chain. It
may still be possible by concatenating the end-user cert with the
intermediate cert into the same file, but that will require testing to
be sure.
That's tested, it does work. That's what the VPN server I set up is doing,
and the instructions at http://wiki.ampr.org/wiki/AMPRNet_VPN for setting
up a client do include steps for concatenating the end-user client cert
with the intermediate cert.
You can either provide the intermediate certificates in the server-side CA
bundle, or the client can have them bundled with the client CA.
A more user-friendly approach could be used too, the tQSL application used
to have an option to export a PKCS#12 (p12) file, which includes the
client's private key, client certificate, and the intermediate cert.
OpenVPN can use a PKCS#12 file too instead of a separate key+certs file,
but older versions would not pass intermediate certs from the p12 file to
the server. I provided openvpn with a patch to add that feature, and it's
included in more recent versions of the openvpn client, but I'm not sure
if that made it to mainstream Linux distributions yet.
- Hessu