Menu
▾
▴
Re: [Openvpn-users] RV: [SOLVED] ERROR = unsupported certificate purpose
|
From: Alon Bar-L. <alo...@gm...> - 2008-03-27 15:51:56
|
Hello, Please stop using the netscape extension, use only the standard enhanced key usage. As it is standard and not netscape specific and more flexable. Options: --remote-cert-tls client|server or: --remote-cert-eku <oid> Alon. On 3/27/08, Damian Rivas <da...@ch...> wrote: > Ok, I've solved the problem, I'm posting the solution so it might be useful for someone that eventually have the same problem. Thanks to Jan Just Keijser help and suggestions we found out that both certificates(server and client) where generated as server ones, using the following commands: > > openssl x509 -text -noout -in server.crt > openssl x509 -text -noout -in damoros.crt > > They both showed these lines: > > X509v3 extensions: > Netscape Cert Type: > SSL Server > > So the error appeared because the client certificate was really a server certificate. It was not a mistake from myself, because I've used the correct commands. > > The problem was that my openssl.cnf file was screwed up, and it generated all certificates as server ones. I've replaced the openssl.cnf, with the openvpn source's one(it was easier than seeking the configuration error on the screwed up file), generated the certificates again, and it worked perfectly. > > I hope this may help anyone who is stuck with the same problem. > > Thanks Jan for your advice and help! > Best regards for everyone, > Damián > > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It's the best place to buy or sell services for > just about anything Open Source. > http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace > _______________________________________________ > Openvpn-users mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openvpn-users > |
