Troubleshooting OpenSSL “Invalid CA Certificate” Error in OpenVPN PKI Setup with EJBCA Certificate Chain


2 views

When working with PKI-based OpenVPN setups, certificate chain validation is critical. The error messages indicate two specific problems with your OnlineSubCA certificate:

  1. invalid CA certificate (num=24) - Typically means the certificate lacks basic CA constraints
  2. unsupported certificate purpose (num=26) - Indicates the certificate's Extended Key Usage (EKU) doesn't include CA purposes

Let's examine the certificate chain using OpenSSL commands:

openssl verify -CAfile RootCA.crt -untrusted SubCA1.crt VPNCA.crt
openssl x509 -in OnlineSubCA.crt -text -noout | grep -A 1 "Basic Constraints"
openssl x509 -in OnlineSubCA.crt -text -noout | grep -A 1 "Extended Key Usage"

The likely issues are:

  • Basic Constraints extension missing or not properly set (CA:TRUE)
  • Missing or incorrect Key Usage (keyCertSign, cRLSign)
  • Inappropriate Extended Key Usage for a CA certificate

In EJBCA, you need to ensure proper certificate profile configuration:

# For your OnlineSubCA in EJBCA admin interface:
1. Navigate to "Certificate Profiles"
2. Select your CA profile
3. Under "Basic Constraints":
   - Set "CA" to TRUE
   - Set "Path Length" as needed
4. Under "Key Usage":
   - Enable "Certificate Sign" and "CRL Sign"
5. Under "Extended Key Usage":
   - Either leave empty (all purposes) or specifically include "TLS Web Server Authentication"

After fixing the EJBCA profile, you'll need to:

  1. Revoke the current OnlineSubCA certificate
  2. Issue a new certificate with correct attributes
  3. Update all downstream certificates (SubCA1, VPNCA)

Once the certificate chain is fixed, ensure your OpenVPN config includes:

# In server.conf:
ca /etc/openvpn/certs/chained.pem
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key
tls-verify "/etc/openvpn/scripts/verify-cn.sh"

Create a verification script to handle complex chains:

#!/bin/bash
# verify-cn.sh
CERT="$1"
DEPTH="$2"
CN="$3"
if [ "$DEPTH" -eq 0 ]; then
  openssl x509 -in "$CERT" -noout -subject | grep -q "CN=$CN" || exit 1
fi
exit 0

If immediate reissuance isn't possible, you can modify OpenSSL's verification behavior (temporarily):

# In OpenVPN config:
tls-remote "/C=CA/O=My_Company/CN=OnlineSubCA"
verify-x509-name "OnlineSubCA" name
remote-cert-tls client

Remember this bypasses proper chain validation and should only be used for testing.

After implementation, verify with:

openssl s_client -connect your.vpn.server:1194 \
  -cert client.crt -key client.key \
  -CAfile chained.pem \
  -verify_return_error -showcerts

Look for "Verify return code: 0 (ok)" in the output.

When OpenSSL reports "invalid CA certificate" (error 24) and "unsupported certificate purpose" (error 26) in a multi-level PKI chain, it typically indicates one of these fundamental issues:

RootCA -> OnlineSubCA -> SubCA1 -> VPNCA
        (Issuer)       (Issuer)  (Issuer)

The most common root cause is missing or incorrect Basic Constraints and Key Usage extensions in intermediate CAs. Let's examine the certificates in your chain:

openssl x509 -in OnlineSubCA.crt -text -noout | grep -A 1 "Basic Constraints"
openssl x509 -in OnlineSubCA.crt -text -noout | grep -A 1 "Key Usage"

For a valid CA certificate, you should see:

X509v3 Basic Constraints: critical
    CA:TRUE
X509v3 Key Usage: critical
    Certificate Sign, CRL Sign

Since you're using EJBCA, you'll need to ensure these settings in the certificate profile:

  1. Basic Constraints extension with CA:TRUE
  2. Key Usage extension with keyCertSign and cRLSign
  3. Path Length Constraint (if needed)

Create a proper chain file and verify it:

cat VPNCA.crt SubCA1.crt OnlineSubCA.crt RootCA.crt > complete_chain.pem
openssl verify -CAfile complete_chain.pem -untrusted complete_chain.pem server.crt

For OpenVPN 2.2.1, ensure these parameters in your config:

tls-remote "/CN=VPNCA"
remote-cert-tls server

And the server should have:

client-cert-not-required

Use these commands to isolate the issue:

# Check certificate purpose
openssl x509 -purpose -in OnlineSubCA.crt -noout

# Verify the full chain
openssl verify -verbose -CAfile RootCA.crt -untrusted SubCA1.crt VPNCA.crt

# Check TLS handshake
openssl s_client -connect yourserver:1194 -showcerts -CAfile complete_chain.pem

The "unsupported certificate purpose" error suggests your OnlineSubCA might have been created with incorrect extended key usage. Reissue it with proper constraints:

EJBCA Admin Command: createca --caname OnlineSubCA --encodeder true \
--certificateprofile SCEPRAProfileCASub --subjectaltname "" \
--keyspec "RSA 4096" --keytype RSA