openssl invalid CA certificate
I'm setting up server-to-server OpenVPN with a PKI infrastructure, and cannot make it work. I suspect it's something in the certificate chain, but I'm at a loss to explain how. I have an offline Root CA, and a certificate hierarchy. The CA's are managed externally by a product called EJBCA. Pictorially the chain looks like this (with names changed):
RootCA -> OnlineSubCA -> SubCA1 -> VPNCA
I signed a server and client cert with the CA VPNCA, and have the certificate chain on those systems. While debugging OpenVPN I tried using "openssl s_server" and s_client", leading me to believe it's the CA chain. Specifically on the server:
openssl s_server -cert server.cert -key server.key -CAfile chained.pem -verify 5
and on the client
openssl s_client -cert client.cert -key client.key -CAfile chained.pem -verify 5
the server spits back, among other things:
depth=3 C = CA, O = My Company, CN = OnlineSubCA
verify error:num=24:invalid CA certificate
verify return:1
depth=3 C = CA, O = My Company, CN = OnlineSubCA
verify error:num=26:unsupported certificate purpose
verify return:1
depth=4 C = CA, O = My Company, CN = RootCA, emailAddress = [email protected]
verify return:1
depth=3 C = CA, O = My Company, CN = OnlineSubCA
verify return:1
depth=2 CN = SubCA1, O = My Company, C = CA
verify return:1
depth=1 CN = VPNCA
verify return:1
depth=0 C = CA, ST = , L = , O = My Company, OU = , CN = client1.mycompany.com, emailAddress = [email protected]
verify return:1
and i'm at a complete loss to explain how or why this is the case. OpenVPN also fails with a similar error, from the client:
VERIFY ERROR: depth=3, error=invalid CA certificate: /C=CA/O=My_Company/CN=OnlineSubCA
I'm running OpenVPN 2.2.1 and OpenSSL 1.0.1 on Ubuntu 12.04. Time is in sync on both.
I'm at a loss on how to proceed any further. Any ideas/suggestions would be greatly appreciated.
Solution 1:
This is a problem with the X509v3 extensions. Modern certificates are signed in a way that indicates the approved uses for that type of certificate. These can be displayed by piping the cert into openssl x509 -text
, or specifying the file path with -in
.
In your case, these error messages are indicating that the cert you're specifying is not a CA cert. (the biggest hint is "unsupported certificate purpose") Using the above command, display the text info of the certificate. A valid CA cert will read like so:
X509v3 Basic Constraints:
CA:TRUE
A non-CA cert will display this instead:
X509v3 Basic Constraints:
CA:FALSE
You may have gotten your files jumbled up, it's a rather easy thing to do when moving the files around. openssl x509
will shine a magnifying glass on what the contents of the actual certs are.