Tim, A small follow up..... I have been hanging out in CACert's IRC channel tonite chatting with some of the people running CACert since I emailed you back earlier. We came to a conclusion that the problem is OpenVPN's usage of a very old deprecated netscape SSL bit. This is no problem typically for people, because openssl sets that bit still, so self signed certs work out fine for people. One of the CACert dev guys took some of my sample certs indicating what bit is missing and such, and will try to get their code to start including in the certs this extra SSL bit. For now, I think i'll revert back to just using the self CA generated keys until the CACert mess settles down. Thanks for your help! Mario
Attachment:
signature.asc
Description: This is a digitally signed message part