ocserv: server certificate generation

Nikos Mavrogiannopoulos nmav at gnutls.org
Tue Dec 17 07:53:05 EST 2013

On Tue, Dec 17, 2013 at 7:57 AM, Per Juborg <per at juborg.nu> wrote:
> Hi,
> I've managed to compile ocserv and create a minimal config file on my Mac OSX 10.8.5.
> However, I need to know how to create a proper server certificate, the manual isn't very clear on that subject.
> When starting my server I get the following message: server certificate key usage prevents key encipherment; unable to support the RSA ciphersuites
> How should I generate my certificate?

Follow the instructions for the user certificate but use the following template:
cn = "www.example.com"
expiration_days = 9999

> Is also seems that the server doesn't present the CA certificate, I've only been able to test that with a browser.

The TLS protocol requires that the CA certificate isn't included in
the list presented by the server (but many servers don't follow that
requirement). There is no need for that since the client must already
have it to very the server certificate.
Nevertheless, if you need to have it included just append it after the
server certificate.


More information about the openconnect-devel mailing list