Openvpn And Openssl Certificate Types

posted: April 11th, 2010

If you want Openvpn client to verify that the server or vpn endpoint that it is actually connecting to is the server that you have in your config then you will need to perform one of the steps in the howto, however if you want to use the ‘remote-cert-tls server’ method you will have to had planned this before putting the server into production, or you will have to generate a new certificate for the server.

If you want to check what attributes your server certificate has you can use the OpenSSL command :

openssl x509 -in server.crt -text

It will then spit out info about your OpenVPN server certificate which you can use to determine if your certificate was built with the nsCertType=server attribute. Look for something like this :

Netscape Cert Type: SSL Server

If it doesn’t have that or :

X509v3 Extended Key Usage: TLS Web Server Authentication

Then you will have to use a different method or re-generate the certificate.