Menu
▾
▴
Re: [Openvpn-users] clients getting same DHCP from openvpn
|
From: Josh C. <jos...@us...> - 2009-01-30 23:55:30
|
Darren Govoni wrote: > The name is the same 'client1', but the contents are different. I > md5sum'd them. But I will double check this. > If your full DN is the same for both certs, this is a disallowed per RFC 2459 (Internet X.509 Public Key Infrastructure Certificate and CRL Profile) unless you're using a chain of CAs [1]. Each certificate containing a non-empty distinguished name (DN) field must be unique, and most CA software won't let you issue a cert with the same DN without revoking the old one first. You must have changed one of the other DN components (like country, state, origination, etc, which is a valid X.509 cert but will confuse OpenVPN), revoked the first without placing the CRL on the server, or have CA software that lets you issue "broken" certificates. If you want to use multiple certs with the same CN (which also includes using a single keypair on multiple clients,) you'll need to add the --duplicate-cn directive to the OpenVPN server so it won't disconnect matching clients. [1] Using subordinate CAs with multiple certs containing the same CN: This process gets more complicated if a CA infrastructure includes the use of subordinate client-signing CAs, because each CA may issue certificates to clients that contain the same full DN. When using this setup with OpenVPN, coordination will need to take place between the CAs to insure duplication of CNs is avoided, or use the --duplicate-cn option on the server. -- Josh |
