Following the first steps, I downloaded openssl.cnf, but I don't understand why it continually makes reference to "Sophos" when I am using OpenWRT; can I remove those entries? Heck, why is it linking to a Windows configuration file?
According to the next sections, I need to name my CA and ICA. What names do I use? A domain name? A random name?
Do I need to be concerned about the "Certificate authority clients" and "Intermediate Certificate authority clients"? If so, what values am I supposed to set there? I only want to generate the certs for OpenVPN, not websites or anything. I also don't follow why there are reference to sophos, freenas etc.
The " Server Cert" says to change my SAN IP and SAN DNS, but to what? The IP of my router as that is my LAN DNS and where OpenVPN is running? Do I need to sign-up for an Internet DDNS service before I can use OpenSSL?
I'll also echo @vgaetera's advice above regarding the OpenVPN Basic wiki.
The basic wiki is intended to get the user up and running as quickly as possible, without having to have them understand the intricacies of configuring OpenVPN and generating certs via OpenSSL directly.
The OpenVPN Comprehensive wiki is intended for the user who wants to understand what each granular step in the process does, how to tune the configuration, and who has the time to thoroughly read the wiki and reference the linked to wikis mentioned throughout the Comprehensive wiki.
Also, in case you've been working from the Comprehensive wiki over the past day or more, I've updated a few things in the wiki:
I removed TLS-Auth and replaced it with TLS-Crypt.
Change xml tag <tls-auth> to <tls-crypt>
Remove key-direction 1
Change tls_auth '/etc/ssl/openvpn/tls-auth.key 0' to tls_crypt '/etc/ssl/openvpn/tls-crypt.key'
Before I delete everything, I thought I'd try and verify the certs, but I must be making an error with the VPN Server cert:
openssl verify -verbose -CAfile ca/OpenWrt-CA.crt.pem ca/OpenVPN-ICA.crt.pem ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem certs/vpn-server.crt
certs/vpn-server.crt.pem: C = XX, ST = XX, CN = XX
error 20 at 0 depth lookup:unable to get local issuer certificate
So I guess that explains why it won't load the p12 at run time; I just have no idea what could possibly be wrong. Yes, I did run "cat ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem >> certs/vpn-server.crt.pem"!
Edit: hmm...but this is OK
# openssl verify -verbose -CAfile ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem certs/vpn-server.crt.pem
The issue is the PKCS12 cert likely wasn't created with the CA-ICA Chain cert.
Chain of trust: CA -> ICA -> VPN Server cert.
Certs should be signed with the ICA, with the PKCS12 created with the CA-ICA Chain as the CA.
That being said, the OpenSSL PKI wiki had the concatenation step misfiled under the section for creating the CRL. I corrected this on 10/18, with the step now where it should be as #3 under ICA, and my hunch is this is the root of the issue
As soon as I add 'option ca', that problem goes away. I completely understand that somewhere the chain of trust is broken, I just can't see where. I'll go back and re-do everything again from the the top, but I am pretty sure I followed both wikis exactly as they have been written.
One minor point, below the section on exporting the p12 in the OpenVPN wiki I think it should warn you to not set an export phrase (this warning is present in the OpenSSL wiki under "Servers", point 4).
After three further attempts I am sorry to confirm that all I get is a X509 error unless I use 'option ca'.
I took a glance through the Basic scripts for in the hope it would show me where I or the instructions are wrong, I'd didn't see much but the differences in configuration made if harder to spot anything. I did note it is also using 'option ca' but as I said, the configuration is rather different.
Something is wrong with your certs then, as ca should not be specified with pkcs12 since the CA is included within the PKCS12 cert.
Please post the ICA chain cert and Server cert (not keys) in text form (open each cert and copy/paste all contents).
What happens if you comment out the pkcs12 option, and add the required options for ca, cert, and key?
You should experience the same error
If you do not, then it's likely you either created the PKCS12 cert with the ICA cert, not the ICA chain cert, or CA cert.
There should be two certificate blocks in the ICA chain cert if opening it in a text editor. The first certificate block, which starts at the top of the file, should be the ICA cert, followed by the 2nd certificate block, which should be the CA.
The certificate blocks must be in this order
I assumed this would be inferred, as if a passphrase should not be set on on the server's PEM cert, it should be inferred a passphrase should also not be set on the server's PKCS12 cert, else manual intervention will be required whenever the OpenVPN server starts or restarts.
This morning I generated some more certs with identifying information removed so that I could post them. Lo and behold, those worked.
I have no idea why as all I did was follow the steps like last time.
I will try again tonight to create "proper" certificates again and see if those work.
Try removing the CA and ICA from the server cert, leaving only the server cert's block. My understanding from reading the OpenSSL documentation was this could be done to allow a single cert to contain the entire chain of trust, however I'm wondering if this is the cause of the issue.
If this doesn't solve the issue, and specifying the ICA chain cert with the ca option does, it seems the issue is with the PKCS12 cert, but as to what that issue could be, I don't have the slightest. I'd recommend creating a thread on the OpenVPN forum at that point, as I'm stumped.