I have created a CA and an intermediate CA using easy-rsa 2.0. On the Openvpn server I use the intermediate certificate export_ca (as per the easy-rsa spec). When I revoke a certificate on my intermediate CA and copy the new crl.pem file to the openvpn server I get this message :
CRL: CRL /etc/openvpn/crl.pem is from a different issuer than the issuer of certificate
I have read through all the openvpn doco but nothing talks about revoking a cert/user with an intermediate CA. Functionally the CRL works - ie the revoked cert/user isn't able to connect.
I am pretty sure that openvpn is complaining cuz it doesn't have the entire CA chain but am not entirely sure - can anyone explain why I get this?
looks like you've found a (minor) bug in openvpn. You should have the full (public) CA chain on the server by stacking the CA and subCA certs together. When a client connects the verify process goes through the entire chain and it tries to find a matching CRL. As there is no CRL for the intermediate CA itself this message is printed, which is bogus.
What you should see as well is
As long as you see that the cert issued by the intermediate CA is properly revoked.
HTH,
JJK