The eurephia plug-in will validate all certificates in the certificate chain belonging to a client certificate. To differentiate their relation, there is something called certificate depth. In a traditional OpenVPN setup, where you have only one CA certificate and client certificates only signed by this CA certificate, the certificate depth of the CA certificate will be 1. For all client certificates, the depth will be 0.

If the OpenVPN CA certificate is signed by another CA, your OpenVPN CA certificate depth will be 1, and the other CA certificates depth will be 2 or higher. Please be aware that all certificates in the certificate chain must be registered, as each certificate level is checked against the eurephia database. On a missing registration, the certificate, including the complete certificate chain, is considered invalid.

First we need to register your OpenVPN CA certificate. The following examples presumes that you are using a traditional OpenVPN setup with only one CA certificate and client certificates. In this section we will not explain deeply what the following command does, but it will described later on in this chapter.

In this example it is presumed that your OpenVPN CA certificate is installed under /etc/openvpn/ca.crt.

user@host:~ $ eurephiadm certs --add --depth 1 --certfile /etc/openvpn/ca.crt
eurephia::Certificates: Certificate registered successfully (certid 1)
user@host:~ $