Avatar of Bastiaan
Flag for Netherlands

asked on 

Setting up OpenVPN AS with Windows PKI


I hope you can help me.

I'm trying to setup OpenVPN AS (v2.8.8) which uses certificates of a PKI (Windows PKI) instead of its own certificates, and are running into an issue. I have followed the article External public key infrastructure (PKI) | OpenVPN of OpenVPN, but i can not connect with a client. When i'm switching back to a situation without certificates the VPN works.

I'm getting an error on the client:
Client version 3.2 -> External Certificate Signing failed
Client version 3.1 -> mbed TLS:SSL read error:X509 - Certificate verification failed, eg. CRl, CA or signature check failed

I suspect an issue with the certificates loaded on the server, but i can't figure it out.

I have created a server Certificate and exported with windows (PFX). I created a CA bundle by copying my intermediate and root in one file. Then i created the server crt with:

and the key file with

These 3 files i have used for the OpenVPN configuration.

In the server log i see the following error when a client connects:
TLS: Initial packet from [AF_INET]serverext:54155 (via [AF_INET]serverin%eth0), sid=b4888b85 39f44b5b'
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)'
TLS Error: TLS handshake failed'


Avatar of undefined
Last Comment

8/22/2022 - Mon