OpenVPN Unsupported Certificate Purpose

Having set up a new OpenVPN system, I suddenly struggled with the following error message in my syslog:

VERIFY ERROR: depth=0, error=unsupported certificate purpose: /C=....


At the first glance I thought that I had made a mistake when entering the common name. However, after some literature (especially the OpenVPN Howto), it became clear that OpenVPN does not perform any checks on the Common Names by default. You may activate such a feature by using the statement tls-verify. However, I did not make use of it.
After a long search, the Linode Forum Thread “OpenVPN help… verify error depth=0?” brought the correct idea: As depicted in the section to prevent “Man-In-The-Middle” attack of the OpenVPN Howto, I had enabled my local Certification Authority (CA) to issue certificates with nsCertType set to server:

[...]
nsCertType = server
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment

As I had automated the generation of keys via a small script, also the client certificate got created with this certificate type. However, OpenVPN apparently checks the usage type depending on the role your box is playing in the corresponding set up. This means:

  • Use nsCertType=server certificates only for your OpenVPN server!
  • Do not use nsCertType=server certificates for your OpenVPN clients!

If you obey these rules, you will not have a problem with the error message on an “Unsupported Certificate Purpose” at server side.

VN:F [1.9.22_1171]
Rating: 5.0/5 (1 vote cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)
OpenVPN Unsupported Certificate Purpose, 5.0 out of 5 based on 1 rating

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This blog is kept spam free by WP-SpamFree.