Recently I had to update my certificates. As things go, I decided to do a 2 tier CA. Of course, this compilcates the config of systems like OpenVPN. This needed some bending of the configs to get what I wanted.
Critical config enrties to make this all work – with comments
ca /etc/openvpn/root-ca.cert <= root CA certificate cert /etc/openvpn/chain.cert <= certificate chain : server cert + intermediate CA cert key /etc/openvpn/private.key <= certificate private key dh /etc/openvpn/dh.pem <= Diffie-Helman key exchange parameters tls-version-min 1.2 <= force TLS 1.2 ciphers
- Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA TLS v1.2 achieved.
- OpenVPN working.