User Tools

Site Tools



This refers to the open source firewall IPFire

Using external CA


Using a hostkey and certificates from an external certificate authority is possible with the following steps and restrictions:

  • On the OpenVPN configuration page start with the button “generate root/host certificate”, but do not generate them, but use the import dialog on the bottom with an existiong file of format PKC#12 and with suffix .p12. It needs to contain the host key and certificate signed by your CA.
  • Import your CA's certificate in the form below the list of OpenVPN root and host certificates
  • Generate or import Diffie-Hellman parameters
  • You need to deposit a valid copy of the certificate revocation list in ipfire's filesystem at /var/ipfire/ovpn/crls/cacrl.pem
  • As you don't have a CA Key on the ipfire, you can't generate client certificate, but you must import them. Starting point is still the “Add” button in the client list, just use the “upload” feature instead of “generate …”.
  • When creating client certificates by TinyCA2, pay attention to unset the “add email address to CN” checkbox when signing the request (i.e. creating the certificate) as ipfire obviously can't cope with that extension and throws an internal server error when using the cn value as filename, which contains a slash.


Renew certificate

  1. Replace /var/ipfire/ovpn/certs/servercert.pem
  2. /usr/local/bin/openvpnctrl -r
  1. Replace /etc/httpd/server.crt
  2. apachectl restart


IPFire 2.17 (i586) - Core Update 98

  • If a clients certificate subject consists only of the comon name (CN), TLS verification will fail due to the regular expression used in /usr/lib/openvpn/verify to get the value of CN=…
docs/tips_n_tricks/ipfire.html.txt · Last modified: 26.10.2021 09:57 CEST by peter