ocserv with StartSSL server and client certificate
Nikos Mavrogiannopoulos
n.mavrogiannopoulos at gmail.com
Wed Dec 3 04:13:17 PST 2014
On Wed, Dec 3, 2014 at 11:33 AM, Michael Köhler
<bittehier at nurfuerspam.de> wrote:
> Hi,
> I want to get ocserv with certificates from StartSSL running but it doesn´t work.
Hi,
What doesn't work?
> The special thing with StartSSL is that they use Sub-CAs for signing server and client certificates. So I´ve a server certificate from sub.class2.server.ca.pem and client certificates from sub.class1.server.ca.pem and sub.class2.server.ca.pem. So what should I do to get ocserv running?
> I´ve created a server certificate with certificate chain inside (cat server.pem sub.class2.server.ca.pem ca.pem > /etc/ocserv/ssl/server-chain-cert.pem) and the config settings:
> server-cert = /etc/ocserv/ssl/server-chain-cert.pem
> server-key = /etc/ocserv/ssl/server-key.pem
Nothing special about it, seems reasonable.
> Then I created a CA chain certificate for all client certificates with sub.class1.server.ca.pem (cat sub.class1.server.ca.pem ca.pem > /etc/ocserv/ssl/ca-sub1-chain-cert.pem).
> ca-cert = /etc/ocserv/ssl/ca-sub1-chain-cert.pem
> But now I don´t know how I could enable the login access for individual user with certificate from sub.class1.server.ca.pem?
If you use
auth = "certificate"
and ca-cert has the authority that signs certificates, what you
describe will work.
However, I am confused from your description. Are
ca-sub1-chain-cert.pem and sub.class1.server.ca.pem the same thing?
Why did you use different names?
In any case the rule is in ca-cert you put the CA to verify the
clients, and in server-cert, the chain of your server's CA.
regards,
Nikos
More information about the openconnect-devel
mailing list