| 1 | = What are certificate chains? = |
| 2 | Certificate chains are (daisy) chained certificates. They are most often used in secure web servers, where the 'root CA' is a globally known CA certificate , such as GlobalTrust or VeriSign. |
| 3 | |
| 4 | A certificate chain can be depicted using ASCII art: |
| 5 | {{{ |
| 6 | root-CA |
| 7 | + sub-CA1 |
| 8 | + sub-CA2 |
| 9 | + SSL server certificate |
| 10 | + SSL client certificate |
| 11 | }}} |
| 12 | The dependency of the "SSL server certificate" on the "sub-CA2" certificate, which in turn depends on the "sub-CA1" certificate which depends on the "root-CA" certificate is what makes this a certificate '''chain''' |
| 13 | |
| 14 | = Certificate chains versus stacked certificates = |
| 15 | A certificate chain has a dependency between the different elements. A stacked certificate means that a bunch of certificates have been stacked together. OpenVPN supports both. When using certificates signed by multiple CAs it is often sufficient to simply stack the different CA certificates together: |
| 16 | {{{ |
| 17 | $ cat ca1.crt ca2.crt ca3.crt > stacked.crt |
| 18 | }}} |
| 19 | and use them in the OpenVPN configuration using |
| 20 | {{{ |
| 21 | ca stacked.crt |
| 22 | }}} |
| 23 | |
| 24 | '''Imporant notice''': All certificates which are signed by '''any''' of the CA certificates found in the 'stacked.crt' file are considered valid. Thus, be very careful when adding CA certificates to a stacked certificate. |
| 25 | |
| 26 | Certificate ''chains'' are very similar but here the client (or server) certificate itself and its sub-CA certificates are stacked together, as will be explained in the following section. |
| 27 | |
| 28 | = How to use certificate chains in OpenVPN = |
| 29 | |
| 30 | 1. Consider the following CA setup: |
| 31 | * the 'root CA' certificate is 'ca.crt' |
| 32 | * the server certificate is signed by the root CA |
| 33 | * a separate sub-CA or intermediary CA is created, which is also signed by the root CA |
| 34 | * the client certificates are signed by the sub-CA. |
| 35 | This can be depicted using some ASCII-art: |
| 36 | {{{ |
| 37 | ca.crt --- server.crt |
| 38 | +-- sub-ca.crt --- client.crt |
| 39 | }}} |
| 40 | |
| 41 | 2. Create a chained certificate by concatenating the client.crt and sub-ca.crt file in the right order: |
| 42 | {{{ |
| 43 | $ cat client.crt sub-ca.crt > chained.crt |
| 44 | }}} |
| 45 | |
| 46 | 3. Configure the OpenVPN server using |
| 47 | {{{ |
| 48 | ca ca.crt |
| 49 | cert server.crt |
| 50 | }}} |
| 51 | |
| 52 | 4. Configure the clients using |
| 53 | {{{ |
| 54 | ca ca.crt |
| 55 | cert chained.crt |
| 56 | }}} |
| 57 | |
| 58 | then the server will accept connections from the client even though it does not directly have access to the sub-ca.crt file. |