Díky moc, šlo mi o to trochu pochopit práci s certifikáty, ale k tomu se vrátím jindy. Jel jsem tedy podle dokumentace, jen jsem si zvětšit key size. VPN klient ale nadává na key usage, zkusil jsem tedy certifikáty vygenerovat znovu s key usage, co jsem se dočetl k openVPN, ale stejně mám pocit, že jsem to udělal blbě. Tušíte někdo prosím, v čem jsem udělal chybu? Děkuji moc
Thu Feb 23 22 2017 VERIFY OK: depth=1, CN=mojeCA
Thu Feb 23 22 2017 Validating certificate key usage
Thu Feb 23 22 2017 ++ Certificate has key usage 00a8, expects 00a0
Thu Feb 23 22 2017 ++ Certificate has key usage 00a8, expects 0088
Thu Feb 23 22 2017 VERIFY KU ERROR
Thu Feb 23 22 2017 OpenSSL: error routines verify failed
Thu Feb 23 22 2017 TLS_ERROR: BIO read tls_read_plaintext error
Thu Feb 23 22 2017 TLS Error: TLS object -> incoming plaintext read error
Thu Feb 23 22 2017 TLS Error: TLS handshake failed
Thu Feb 23 22 2017 Fatal TLS error (check_tls_errors_co), restarting
Thu Feb 23 22 2017 SIGUSR1 received, process restarting
Thu Feb 23 22 2017 MANAGEMENT: >STATE,RECONNECTING,tls-error,,
/certificate> print detail
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority,
I - issued, R - revoked, E - expired, T - trusted
0 K L A T name="mojeCA" common-name="mojeCA" key-size=4096
days-valid=365 trusted=yes key-usage=key-cert-sign,crl-sign
ca-crl-host="192.168.1.1" serial-number="3E3E094B1AA9C34F"
fingerprint="fa6e98de12354bde4d057f4392ac56a2a351e29b628474968d3cea53
741529ac"
invalid-before=feb/23/2017 22
invalid-after=feb/23/2018 22
1 K I name="server" common-name="server" key-size=4096 days-valid=365
trusted=yes key-usage=digital-signature,key-encipherment,key-
agreement,tls-server
ca=mojeCA serial-number="698F2A05E78E339E"
fingerprint="abe6ffe4adf213e746af08f6d8e940c34e1208fd74d6588a9206197b
a5bff739"
invalid-before=feb/23/2017 22
invalid-after=feb/23/2018 22
2 K I name="client1" common-name="client1" key-size=4096 days-valid=365
trusted=no key-usage=digital-signature,key-agreement,tls-client
ca=mojeCA serial-number="136E6ACA1A5C3F6A"
fingerprint="f0f47487fda1063f4e3fcccff16fb6b8ebda5786053439bfb91a9757
43011277"
invalid-before=feb/23/2017 22
invalid-after=feb/23/2018 22
3 K I name="client2" common-name="client2" key-size=4096 days-valid=365
trusted=no key-usage=digital-signature,key-encipherment,tls-client
ca=mojeCA serial-number="6651895679D077B3"
fingerprint="7728fc742fb702f38e3e30beb2e9ba18f7df2dee6e8738eaeb28119d
8065da5c"
invalid-before=feb/23/2017 22
invalid-after=feb/23/2018 22
konfig klienta, taky muze byt neco spatne, ucim se s tim a dost vecim jeste nerozumim:
client
remote xxx.xxx.xxx.xxx
dev tun
verb 3
port 1194
proto tcp-client
nobind
ca cert_export_mojecaCA.crt
cert client1.crt
key client1.key
tls-client
remote-cert-tls server
#remote-cert-ku b6
#cipher AES-256-CBC
#autho-nocache
#redirect-gateway
tls-timeout 300
#hand-window 300
#comp-lzo