Opened 11 years ago
Closed 11 years ago
#204 closed Bug / Defect (notabug)
nsCertType not set to "client" for a client cert
| Reported by: | zmi | Owned by: | Eric Crist |
|---|---|---|---|
| Priority: | trivial | Milestone: | RC 2.3 |
| Component: | Certificates | Version: | OpenVPN 2.3-beta / 2.3-RC (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | nsCertType, client, openssl.cnf |
| Cc: |
Description
For better security, I set this in the server config:
ns-cert-type client
But then I got an error about my client cert:
VERIFY nsCertType ERROR: C=AT, ST=NOE, L=Korneuburg, O=Proteger, OU=IT, CN=itm-zmibook3, name=Michael Monnerie, emailAddress=hostmaster@…, require nsCertType=CLIENT
And this was because the cert generated for my client was not set to cert-type client.
This is fixed simply with a one liner for easy-rsa/2.0/openssl-0.9.8.cnf:
# diff openssl-0.9.8.cnf /tmp/openssl-0.9.8.cnf
182a183,184
# ZMI 20120424
nsCertType = client
Now I can enable "ns-cert-type client" on the server side.
This is for version openvpn-2.3-alpha1
Change History (3)
comment:1 Changed 11 years ago by
comment:2 Changed 11 years ago by
| Owner: | set to Eric Crist |
|---|---|
| Status: | new → assigned |
comment:3 Changed 11 years ago by
| Resolution: | → notabug |
|---|---|
| Status: | assigned → closed |
See the forum link here: https://forums.openvpn.net/topic7484.html#p9218
This should adequately resolve your issue.
WONT
The ns* extensions are none standard.
Use the EKU feature of both easy-rsa and OpenVPN.