Re: Good question!

#54070

DrmCa
Participant

Not really sure I have set up everything correctly.
How can I find out for sure?

VPN is set up to use 509+password, the certificate CA.pem downloaded from the login page and the user installed it.
1st drop down: Local CA
2nd drop down: OU=hosts, CN=router.earthlovesme.ca
It is a valid non-expired certificate

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IT, O=Zeroshell.net, OU=Example, CN=ZeroShell Example CA/emailAddress=Fulvio.Ricciardi@zeroshell.net
Validity
Not Before: Apr 9 16:11:41 2016 GMT
Not After : Apr 7 16:11:41 2026 GMT
Subject: OU=Hosts, CN=router.earthlovesme.ca
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:c2:df:e5:5d:b6:2d:7f:32:27:4c:c3:32:29:4c:
...
ec:b3:7d:1f:d2:95:4b:94:a5:38:f6:ea:03:f1:3b:
08:a3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
Signature Algorithm: sha1WithRSAEncryption
9f:d6:62:66:23:85:1a:bb:31:e5:15:f8:5a:06:e9:20:43:2b:
...
1e:0f:af:6e:c6:4e:27:3c:33:30:56:df:94:a1:c9:fa:29:aa:
12:97:ca:84
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : Yes
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
BEGIN CERTIFICATE
MIIDUzCCAjugAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBhTELMAkGA1UEBhMCSVQx
...
28272mxnj5f7XTJeujiFXHoeD69uxk4nPDMwVt+Uocn6KaoSl8qE
END CERTIFICATE

But here is something I do not understand: when exporting the router certificate from X590 manager, it spits out router.earthlovesme.ca.pem which is 2891 bytes long and has 2 secons inside for the cert and sig:



BEGIN CERTIFICATE
MIIDUzCCAjugAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBhTELMAkGA1UEBhMCSVQx
...
28272mxnj5f7XTJeujiFXHoeD69uxk4nPDMwVt+Uocn6KaoSl8qE
END CERTIFICATE

BEGIN RSA PRIVATE KEY
MIIEpQIBAAKCAQEAwt/lXbYtfzInTMMyKUw/U5zVyUm4xLxjAQVxfkE2t4DGlgfo
...
6yqRZHfxGMDIFkp+eONj5Mqw7I8amjX6PW9ZWg9aMT3P3UCUIdkGlz8=
END RSA PRIVATE KEY

But CA.pem that the login page spits out (and which I sent to the user to install in OpenVPN GUI config folder) is 1619 bytes long and has only one section (it is Okay if they are different, as I had to re-generate since exporting the router.earthlovesme.pem):



BEGIN CERTIFICATE
MIIEfTCCA2WgAwIBAgIJAN5geVTw/yoQMA0GCSqGSIb3DQEBBQUAMIGFMQswCQYD
...
DEfTvzA/KxMOY0q47fQ41wJrcYFkwSL5okHsbsJvbyKsMluJx9Gw2NY5opNRqwaP
zw==
END CERTIFICATE