On Wed, Dec 3, 2014 at 11:33 AM, Michael K?hler <bittehier at nurfuerspam.de> wrote: > Hi, > I want to get ocserv with certificates from StartSSL running but it doesn?t work. Hi, What doesn't work? > The special thing with StartSSL is that they use Sub-CAs for signing server and client certificates. So I?ve a server certificate from sub.class2.server.ca.pem and client certificates from sub.class1.server.ca.pem and sub.class2.server.ca.pem. So what should I do to get ocserv running? > I?ve created a server certificate with certificate chain inside (cat server.pem sub.class2.server.ca.pem ca.pem > /etc/ocserv/ssl/server-chain-cert.pem) and the config settings: > server-cert = /etc/ocserv/ssl/server-chain-cert.pem > server-key = /etc/ocserv/ssl/server-key.pem Nothing special about it, seems reasonable. > Then I created a CA chain certificate for all client certificates with sub.class1.server.ca.pem (cat sub.class1.server.ca.pem ca.pem > /etc/ocserv/ssl/ca-sub1-chain-cert.pem). > ca-cert = /etc/ocserv/ssl/ca-sub1-chain-cert.pem > But now I don?t know how I could enable the login access for individual user with certificate from sub.class1.server.ca.pem? If you use auth = "certificate" and ca-cert has the authority that signs certificates, what you describe will work. However, I am confused from your description. Are ca-sub1-chain-cert.pem and sub.class1.server.ca.pem the same thing? Why did you use different names? In any case the rule is in ca-cert you put the CA to verify the clients, and in server-cert, the chain of your server's CA. regards, Nikos
