[plug] OpenVPN with Ubuntu

Daniel Pittman daniel at rimspace.net
Thu Jan 8 11:25:09 WST 2009

"Kai Jones" <kaij at kamsc.org.au> writes:

> This is my first bash at configuring VPN, on Ubuntu 8.1, using
> OpenVPN,

The release is '8.10', where 10 is the month of release.

> reading the HOWTO:
> http://openvpn.net/index.php/documentation/howto.html
> The box I'm working on is in service so I'm trying to be carefull not
> to break anything, so far I can get it as far as handshaking, with
> this error:
> Thu Jan  8 08:27:33 2009 VERIFY ERROR: depth=0, error=unsupported
> certificate purpose:

That snapping sound you can hear is my patience going: the damn
"certificate purpose" stuff is a royal PITA, and almost none of them
cover this part.


> Maybe I'm using the wrong search terms in google but so far I haven't
> found anything that helps point me in the right direction as to how
> you set a certificate's purpose, where to find something that shows me
> how to make a certicate fit it's purpose (?!) and or how to turn off
> certificate's temporarily just to see if the VPN will at least connect
> without it

Well, it is a feature of the CSR, more or less, and the default is set
by OpenSSL if you are using the CA support that came with the tool.

(For reference, I use xca[1] to manage the CA, and it sucks an awful lot
 less than the default stuff for a small system.)

Anyway, you need to edit the OpenSSL configuration file used when
running the CA and set the 'nsCertType' and 'keyUsage' fields to
whatever specific features you require.

(IIRC, only nsCertType server and client are required, but it has been a
 couple of years since I set up an OpenVPN CA myself.)


[1]  http://xca.sourceforge.net/

More information about the plug mailing list