PKCS12 certificates and --ca/--extra-certs

[reynir]

The documentation for --pkcs12 says:

This option can be  used  instead of --ca, --cert, and --key.

The man page is unclear how it can be used instead of --ca, and inspecting the code the two options are not mutually exclusive. If --pkcs12 is specified and --ca is not then the certificates are used as --ca. Otherwise, if both are specified then the certificates in the pkcs12 file are added to --extra-certs.

In https://github.com/robur-coop/miragevpn/pull/170 I decided to circumvent the issue by not allowing additional certificates in the PKCS#12 file.

See the discussion in https://github.com/robur-coop/miragevpn/pull/170#discussion_r1407600824

Related to https://github.com/robur-coop/miragevpn/issues/81

[reynir]

After thinking about it for a bit I don't like that the certificates in the pkcs12 file are used to authenticate the remote. That is easily surprising behavior in my opinion. Maybe it is worth diverging from OpenVPN here?

[hannesm]

Thanks for your investigation and opening of this issue. I agree we should keep it simple and use the PKCS12 only for the client credentials (certificate(s) and key). If in the future, there turns out to be demand for this rather strange semantics of OpenVPN, we can re-discuss it then.

[reynir]

In #170 a warning is printed if there are additional certificates optionally informing that the certificates will not be used for authenticating the remote. This divergence from the OpenVPN implementation is also documented in the README.