SSL VPN - Certificate Validation Issue

Hello chaps- apologies for bringing this thread back after so long, but I've reproduced this problem and thought it worth revisiting.

After reading JW0914_01's comments, I went back over the configs, and noticed a couple of things when looking over the certs.
The CNs are all correct that I can see- server cert has the FQDN in CN, user cert has user name in CN, issuers match the whole DN of the next cert up, and so on. In short, according to what I know about X.509 certs, everything's right and the user and local server certs check out, so this suggests the whole CN mess is fixed in 9.352.

What is missing is that the root CA isn't included in the package, just the user cert, and VPN signing (intermediate) CA cert that the UTM used to create it. The logs *suggest* it cannot find the issuer of the server cert,
VERIFY ERROR: depth=1, error=unable to get local issuer certificate: C=uk, <other attributes of the intermediate CA>
but I defer to those who know OpenVPN better. Is it saying it cannot find that intermediate CA (which is how it reads to me) or saying it cannot find the issuer of that intermediate CA (the not-included root CA)? Log message suggests one thing, logic suggests the other..

The other thing I noticed is that if an email address is included in the DN of a cert, the OpenVPN client log reports it using the notation emailAddress= rather than the E= that's in the cert when read by most anything else. Is this just an OpenVPN thing?

I'll have a play with trying to append the root CA to the openVPN client's package, in case, but any other ideas welcome.

In case it's important, the reason I'm doing this is I have clients who want all server certs replaced with 4096-bit keys and SHA256 or higher signatures.. so if anyone knows how to get the UTM to create user/server certs with longer keys, I'd be happy to hear it!

Hello chaps- apologies for bringing this thread back after so long, but I've reproduced this problem and thought it worth revisiting.

After reading JW0914_01's comments, I went back over the configs, and noticed a couple of things when looking over the certs.
The CNs are all correct that I can see- server cert has the FQDN in CN, user cert has user name in CN, issuers match the whole DN of the next cert up, and so on. In short, according to what I know about X.509 certs, everything's right and the user and local server certs check out, so this suggests the whole CN mess is fixed in 9.352.

What is missing is that the root CA isn't included in the package, just the user cert, and VPN signing (intermediate) CA cert that the UTM used to create it. The logs *suggest* it cannot find the issuer of the server cert,
VERIFY ERROR: depth=1, error=unable to get local issuer certificate: C=uk, <other attributes of the intermediate CA>
but I defer to those who know OpenVPN better. Is it saying it cannot find that intermediate CA (which is how it reads to me) or saying it cannot find the issuer of that intermediate CA (the not-included root CA)? Log message suggests one thing, logic suggests the other..

The other thing I noticed is that if an email address is included in the DN of a cert, the OpenVPN client log reports it using the notation emailAddress= rather than the E= that's in the cert when read by most anything else. Is this just an OpenVPN thing?

I'll have a play with trying to append the root CA to the openVPN client's package, in case, but any other ideas welcome.

In case it's important, the reason I'm doing this is I have clients who want all server certs replaced with 4096-bit keys and SHA256 or higher signatures.. so if anyone knows how to get the UTM to create user/server certs with longer keys, I'd be happy to hear it!