Hi there,
I'm trying to get my UTM9 to act as a subordinate ca from my primary (windows) ca.
(sidestory: heartbleed, deactivated all vpn (and other vuln services...), got the latest up2date updates, now reactivating and recreating all certs. having two ca's wasn't a "optimal configuration" so I decided to try to get the UTM9 act as sub-ca)
The primary question is:
"Is there a way to have the utm configured as sub-ca and avoid the hassle with chaining certificates and tempering with config files I'm describing below?"
If its NOT possible, could you please help me by answering the questions below?
This are the steps I did so far:
I've created the SUB CA certificate for the utm(on windows side) and imported it under:
"Remote Access -> Certificate Management -> Certificate Authority"
After the import all user certificates were automatically recreated (showing "regenerated" in the name).
The next step I did was to import the ROOT CA public key as "verification ca"
also under:
"Remote Access -> Certificate Management -> Certificate Authority"
After I did those steps, I visited the client portal with a client laptop and downloaded the new cert/conf file and applied it.
Configuration was successfully changed on the client side, I checked the config dir manually and found the new client cert and the subordinate-ca certificate.
But, I'm not able to connect! I've tried with Linux and with Windows Clients, here is what I did:
On Linux:
When I tried first I got a:
[...]
VERIFY ERROR: depth=1, error=unable to get local issuer certificate: "CENSORED"
[...]
so I had to build a cert chain for the ca cert:
'cat sub-ca.crt ca.crt > ca_chain.crt'
, and point to it with the cert option inside the client config.
Then I received a "VERIFIY X509NAME ERROR" from OpenVPN.
-> This could be resolved by altering the config manually so that the tls-remote option was matching.
Now I get the following error: (on server side, client sees only connection reset)
[...]
"VERIFY ERROR: depth=2, error=self signed certificate in certificate chain:"CENSORED" "
[...]
QUESTION: Is it because my root ca is not signed by another ca?
QUESTION: Is it possible to circumvent that by adding my ca to some sort of trusted ca list? (IF SO: PLS TELL ME HOW [:)] )
On windows:
I get the following error(probably because of a incomplete chain. ... as I don't know how I do certificate chaining on windows):
[...]
VERIFY ERROR: depth=1, error=unable to get local issuer certificate: "CENSORED"
TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
Fatal TLS error (check_tls_errors_co), restarting
SIGUSR1[soft,tls-error] received, process restarting
MANAGEMENT: >STATE:1397567292,RECONNECTING,tls-error,,
[...]
QUESTION: Can I use the same ca_chain.crt file I created on linux?
I tried to be as accurate as possible with the description what I did, I hope it's sufficient. Please let me know if I missed some important information.
Thanks in advance for your help.
Kind regards
This thread was automatically locked due to age.
