[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] error=self signed certificate

  • Subject: [Openvpn-users] error=self signed certificate
  • From: Kevin DeGraaf <kevin@xxxxxxxxxxxxxxxx>
  • Date: Sun, 12 Dec 2004 18:48:04 -0500 (EST)

I set up an OpenVPN server based on a working config file and this
key-generation procedure:

# Generate DH params
openssl dhparam -out dh2048.pem 2048

# Generate CA key/cert
openssl req -x509 -newkey rsa:2048 -keyout private/cakey.pem \
  -out cacert.pem

# Generate server key/cert
openssl req -new -nodes -keyout server.key -out server.csr

# Generate user key/cert
openssl req -newkey rsa:2048 -keyout username.key -out username.csr

# Sign keys
openssl ca -in server.csr -out server.crt
openssl ca -in username.csr -out username.crt

My openssl.cnf is the default, with the following modifications:

  dir = /etc/ssl/CertAuth
  unique_subject = yes
  private_key = $dir/private/cakey.pem
  default_days = 3650
  default_bits = 2048

  *_default -> defaults for my organization

When I attempt to bring up a connection, I receive the following error
(XXX replacing sensitive info):

VERIFY ERROR: depth=1, error=self signed certificate in certificate chain:

TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

AFAIK, this setup mirrors a working one.  Where did I go wrong?

Kevin DeGraaf

Openvpn-users mailing list