Hi Nikos, thanks for your fast reply. >> I want to get ocserv with certificates from StartSSL running but it doesn?t work. > > What doesn't work? Sorry, I?ve forgot to said that I can?t connect from my iPhone with latest AnyConnect client the ocserv 0.8.8. If I try I get the following log output: ?? Dec 3 13:29:12 test-vpn ocserv[11426]: main: main-misc.c:754: cannot open: /sys/fs/cgroup/cpuset/test/tasks Dec 3 13:29:13 test-vpn ocserv[11455]: worker: 178.24.234.134:52671 client certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. Dec 3 13:29:13 test-vpn ocserv[11427]: sec-mod: received request from pid 11455 and uid 65534 Dec 3 13:29:13 test-vpn ocserv[11427]: sec-mod: cmd [size=517] sm: decrypt Dec 3 13:29:13 test-vpn ocserv[11455]: worker: 178.24.234.134:52671 no certificate provided for authentication Dec 3 13:29:13 test-vpn ocserv[11426]: main: 178.24.234.134:52671 main-misc.c:425: command socket closed Dec 3 13:29:13 test-vpn ocserv[11426]: main: main-misc.c:754: cannot open: /sys/fs/cgroup/cpuset/test/tasks Dec 3 13:29:13 test-vpn ocserv[11456]: worker: 178.24.234.134:52672 client certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. Dec 3 13:29:13 test-vpn ocserv[11427]: sec-mod: received request from pid 11456 and uid 65534 Dec 3 13:29:13 test-vpn ocserv[11427]: sec-mod: cmd [size=517] sm: decrypt Dec 3 13:29:13 test-vpn ocserv[11456]: worker: 178.24.234.134:52672 no certificate provided for authentication Dec 3 13:29:13 test-vpn ocserv[11426]: main: 178.24.234.134:52672 main-misc.c:425: command socket closed Dec 3 13:29:13 test-vpn ocserv[11426]: main: main-misc.c:754: cannot open: /sys/fs/cgroup/cpuset/test/tasks Dec 3 13:29:13 test-vpn ocserv[11457]: worker: 178.24.234.134:52673 tlslib.c:372: error verifying client certificate: No certificate was found. Dec 3 13:29:13 test-vpn ocserv[11427]: sec-mod: received request from pid 11457 and uid 65534 Dec 3 13:29:13 test-vpn ocserv[11427]: sec-mod: cmd [size=517] sm: decrypt Dec 3 13:29:13 test-vpn ocserv[11457]: worker: 178.24.234.134:52673 no certificate provided for authentication Dec 3 13:29:13 test-vpn ocserv[11426]: main: 178.24.234.134:52673 main-misc.c:425: command socket closed ?? The config file is: ?? auth = "certificate" max-clients = 16 max-same-clients = 2 tcp-port = 443 udp-port = 443 keepalive = 32400 dpd = 90 mobile-dpd = 1800 try-mtu-discovery = false server-cert = /etc/ocserv/ssl/server-chain-cert.pem server-key = /etc/ocserv/ssl/server-key.pem ca-cert = /etc/ocserv/ssl/ca-sub1-chain-cert.pem cert-user-oid = 2.5.4.3 cert-group-oid = 2.5.4.11 tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT" auth-timeout = 40 cookie-timeout = 300 deny-roaming = false rekey-time = 172800 rekey-method = ssl use-utmp = true use-occtl = true pid-file = /var/run/ocserv.pid socket-file = /var/run/ocserv-socket run-as-user = nobody run-as-group = nogroup cgroup = "cpuset,cpu:test" device = vpns predictable-ips = true default-domain = example.com ipv4-network = 192.168.1.0 ipv4-netmask = 255.255.255.0 dns = 8.8.8.8 ping-leases = false route-add-cmd = "ip route add %{R} dev %{D}" route-del-cmd = "ip route delete %{R} dev %{D}" cisco-client-compat = true ?? > >> The special thing with StartSSL is that they use Sub-CAs for signing server and client certificates. So I?ve a server certificate from sub.class2.server.ca.pem and client certificates from sub.class1.server.ca.pem and sub.class2.server.ca.pem. So what should I do to get ocserv running? >> I?ve created a server certificate with certificate chain inside (cat server.pem sub.class2.server.ca.pem ca.pem > /etc/ocserv/ssl/server-chain-cert.pem) and the config settings: >> server-cert = /etc/ocserv/ssl/server-chain-cert.pem >> server-key = /etc/ocserv/ssl/server-key.pem > > Nothing special about it, seems reasonable. > >> Then I created a CA chain certificate for all client certificates with sub.class1.server.ca.pem (cat sub.class1.server.ca.pem ca.pem > /etc/ocserv/ssl/ca-sub1-chain-cert.pem). >> ca-cert = /etc/ocserv/ssl/ca-sub1-chain-cert.pem >> But now I don?t know how I could enable the login access for individual user with certificate from sub.class1.server.ca.pem? > > If you use > auth = "certificate" > and ca-cert has the authority that signs certificates, what you > describe will work. > However, I am confused from your description. Are > ca-sub1-chain-cert.pem and sub.class1.server.ca.pem the same thing? > Why did you use different names? I don?t know exactly but StartSSL use an intermediate CA certificate to provide certificates for different level of identification. Normally I have to provide all certificates from the chain from server to ca with the sub level of class1 or class2 certificate. But I could test it with only the class1 thing - but what?s with the clients which got a class2 certificate? And the important question: The client certificate are directly from StartSSL and I don?t own a CA or sub CA - how could I restrict logins to only my users? Should I have to install the client certificate to the server or what should I do? > In any case the rule is in ca-cert you put the CA to verify the > clients, and in server-cert, the chain of your server's CA. regards, Michael