I’m running into a problem regarding certificates for VyOS 1.4. The problem arises when having a CA certificate file with multiple certificates in it that I want to use in my OpenVPN configuration.
In VyOS I’m using OpenVPN and in VyOS 1.3 we can supply the CA certificates as a file path (ca.crt, for example), however, in VyOS 1.4 introduced PKI, where you have to import each certificate separately. Now I’m able to import all the certificates/keys, but how am I supposed to use this with OpenVPN?
In VyOS 1.3 you could do:
set interfaces openvpn vtun1 tls ca-cert-file /config/auth/openvpn/ca.crt
In VyOS 1.4 you have to do:
set pki ca ca-crt1 certificate xyz set pki ca ca-crt2 certificate xyz set pki ca ca-crt3 certificate xyz set interfaces openvpn vtun1 tls ca-certificate 'ca-crt1'
However, “ca-crt1” points to a single certificate instead of a list of certificates, so this is incorrect I believe. Looking at the final OpenVPN .conf file seems to confirm this, since the .conf contains a line “ca /run/openvpn/vtun1_ca.pem” which has only a single certificate. In the working OpenVPN configuration, the “ca” line would point to a file which has all CA certificates in it.
Can someone explain to me how to correctly use this functionality in VyOS 1.4, the documentation does not cover this use case AFAICT. Please correct me if I’m wrong.