Using multi-certificate certificate file with PKI and OpenVPN


I’m running into a problem regarding certificates for VyOS 1.4. The problem arises when having a CA certificate file with multiple certificates in it that I want to use in my OpenVPN configuration.

In VyOS I’m using OpenVPN and in VyOS 1.3 we can supply the CA certificates as a file path (ca.crt, for example), however, in VyOS 1.4 introduced PKI, where you have to import each certificate separately. Now I’m able to import all the certificates/keys, but how am I supposed to use this with OpenVPN?

In VyOS 1.3 you could do:
set interfaces openvpn vtun1 tls ca-cert-file /config/auth/openvpn/ca.crt

In VyOS 1.4 you have to do:

set pki ca ca-crt1 certificate xyz
set pki ca ca-crt2 certificate xyz
set pki ca ca-crt3 certificate xyz
set interfaces openvpn vtun1 tls ca-certificate 'ca-crt1'

However, “ca-crt1” points to a single certificate instead of a list of certificates, so this is incorrect I believe. Looking at the final OpenVPN .conf file seems to confirm this, since the .conf contains a line “ca /run/openvpn/vtun1_ca.pem” which has only a single certificate. In the working OpenVPN configuration, the “ca” line would point to a file which has all CA certificates in it.

Can someone explain to me how to correctly use this functionality in VyOS 1.4, the documentation does not cover this use case AFAICT. Please correct me if I’m wrong.

Kind regards

Anyone who has an idea how to approach this?

Did you try:
Store your certs like in the old days, and use openvpn-option to get whatever you want in .conf file
set interfaces openvpn vtun10 openvpn-option ‘line here’

Made a task here: ⚓ T4485 OpenVPN: Allow multiple CAs certificates

Will look at implementing multiple values this week.

set interfaces openvpn vtun1 tls ca-certificate 'ca-crt1'
set interfaces openvpn vtun1 tls ca-certificate 'ca-crt2'
set interfaces openvpn vtun1 tls ca-certificate 'ca-crt3'

PR adding support should hopefully be merged shortly.

1 Like

Seems I’ve run into the same issue, but with EAPoL rather than openvpn. Presently waiting for my Phabricator account to get approved so I can submit the bug report. Need to hold off on the upgrade to 1.4 for a while I guess.