troubleshooting Question

Setting up OpenVPN AS with Windows PKI

Avatar of Bastiaan
BastiaanFlag for Netherlands asked on
12 Comments1 Solution18 ViewsLast Modified:

I hope you can help me.

I'm trying to setup OpenVPN AS (v2.8.8) which uses certificates of a PKI (Windows PKI) instead of its own certificates, and are running into an issue. I have followed the article External public key infrastructure (PKI) | OpenVPN of OpenVPN, but i can not connect with a client. When i'm switching back to a situation without certificates the VPN works.

I'm getting an error on the client:
Client version 3.2 -> External Certificate Signing failed
Client version 3.1 -> mbed TLS:SSL read error:X509 - Certificate verification failed, eg. CRl, CA or signature check failed

I suspect an issue with the certificates loaded on the server, but i can't figure it out.

I have created a server Certificate and exported with windows (PFX). I created a CA bundle by copying my intermediate and root in one file. Then i created the server crt with:

and the key file with

These 3 files i have used for the OpenVPN configuration.

In the server log i see the following error when a client connects:
TLS: Initial packet from [AF_INET]serverext:54155 (via [AF_INET]serverin%eth0), sid=b4888b85 39f44b5b'
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)'
TLS Error: TLS handshake failed'


Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 12 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 12 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros