Opened 9 years ago

Closed 9 years ago

#204 closed Bug / Defect (notabug)

nsCertType not set to "client" for a client cert

Reported by: zmi Owned by: Eric Crist
Priority: trivial Milestone: RC 2.3
Component: Certificates Version: OpenVPN 2.3-beta / 2.3-RC (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: nsCertType, client, openssl.cnf
Cc:

Description

For better security, I set this in the server config:
ns-cert-type client

But then I got an error about my client cert:
VERIFY nsCertType ERROR: C=AT, ST=NOE, L=Korneuburg, O=Proteger, OU=IT, CN=itm-zmibook3, name=Michael Monnerie, emailAddress=hostmaster@…, require nsCertType=CLIENT

And this was because the cert generated for my client was not set to cert-type client.

This is fixed simply with a one liner for easy-rsa/2.0/openssl-0.9.8.cnf:

# diff openssl-0.9.8.cnf /tmp/openssl-0.9.8.cnf
182a183,184

# ZMI 20120424
nsCertType = client

Now I can enable "ns-cert-type client" on the server side.

This is for version openvpn-2.3-alpha1

Change History (3)

comment:1 Changed 9 years ago by alonbl

WONT

The ns* extensions are none standard.

Use the EKU feature of both easy-rsa and OpenVPN.

comment:2 Changed 9 years ago by David Sommerseth

Owner: set to Eric Crist
Status: newassigned

comment:3 Changed 9 years ago by Eric Crist

Resolution: notabug
Status: assignedclosed

See the forum link here: https://forums.openvpn.net/topic7484.html#p9218

This should adequately resolve your issue.

Note: See TracTickets for help on using tickets.