I think i messed up a little with my SSL certificates. We are using SSL Certificates for all OpenVPN clients (witch works perfectly), generated using the easy-rsa toolkit.
And now i want to use the same certificates for Web servers on the OpenVPN hosts
All Keys are 4096 bit long.
My idea is that mybe the Usage purpose is wrong for apache, but i am not quite sure.
root@howard~# openssl x509 -in howard.example.com.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=AT, ST=STMK, L=Graz, O=Bee Company, OU=Root CA, CN=example.com/name=rootca/[email protected]
Validity
Not Before: Aug 13 12:36:41 2013 GMT
Not After : Aug 11 12:36:41 2023 GMT
Subject: C=AT, ST=STMK, L=Graz, O=example.com.at, OU=changeme, CN=howard.example.com/name=howard.example.com/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
NOTHING_TO_READ_HERE :)
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
NOTHING_TO_READ_HERE :)
X509v3 Authority Key Identifier:
keyid:NOTHING_TO_READ_HERE :)
DirName:/C=AT/ST=STMK/L=Graz/O=Bee Company/OU=Root CA/CN=example.com/name=rootca/[email protected]
serial:NOTHING_TO_READ_HERE :)
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: sha1WithRSAEncryption
I have no idea how to change/add the purpose of a key when i am generating it with the easy-rsa toolkit.
All i do when generating a new OpenVPN certificate:
cd /usr/share/doc/openvpn/examples/easy-rsa/2.0/
vi vars
. ./vars
./build-key CLIENTNAME
And inside the vars file i couldn't find anything.
But Firefox is returning an
sec_error_inadequate_cert_type
Microsoft's IE just prompts me over and over again if I really trust this certificate...
Any ideas on what i did wrong, or what i need to do?
My idea would be that apache cant handle 4096 bit Keys...
