OpenSSL Error 0A00018E SSL routines ca md too weak
Introduction
After enabling the OpenVPN server on an ASUS router, the exported client.ovpn
file may trigger the following error in the OpenVPN client on Android:
1 | OpenSSL: error:0A00018E:SSL routines:SSL_CTX_use_certificate:ca md too weak |
This issue occurs because the CA certificate uses the SHA1 signature algorithm, which is outdated and considered insecure. Consequently, the OpenVPN client refuses to accept it.
There are two possible solutions:
- Insecure (Not Recommended): Allow weak CA certificates.
- Recommended: Renew the CA certificate using a stronger signature algorithm (e.g., SHA256 or higher).
Allowing weak certificates may expose your connection to man-in-the-middle (MITM) attacks or other vulnerabilities.
This guide walks you through the recommended solution.
Accessing the ASUS Router via Telnet
Install a Telnet client on your Windows system (e.g., MobaXterm, PuTTY),
or enable it via:
Control Panel > Programs > Turn Windows features on or off > Telnet Client.Use the following command to log in to your router:
1
$ telnet <ROUTER_IP>
Tip: The router’s IP address is usually
192.168.x.1
.
Re-generate CA Certificates by Router
Removing Old CA Certificates
Check the current certificate details to identify the signature algorithm:
1
2
3$ openssl x509 -noout -text -in /jffs/openvpn/vpn_crt_server1_ca | grep "Signature Algorithm"
$ openssl x509 -noout -text -in /jffs/openvpn/vpn_crt_server1_crt | grep "Signature Algorithm"
$ openssl x509 -noout -text -in /jffs/openvpn/vpn_crt_server1_client_crt | grep "Signature Algorithm"Look for the Signature Algorithm field.
If it showssha1WithRSAEncryption
, you should remove and regenerate the certificates.You can list all certificate files for inspection:
1
$ ls -l /jffs/openvpn/
(Avoid using wildcards with
openssl
directly, as it may not handle them reliably.)
Renewing CA Certificates via Web Interface
Open a browser and log in to your router’s web interface (e.g., https://www.asusrouter.com).
Navigate to:
VPN > OpenVPN > Advanced Settings
If the Generate a new certificate option is available:
- Select Generate a new certificate.
- Click Apply.
If that option is not available, manually configure the security settings:
- Set Encryption Cipher to
AES-256-CBC
. - Set HMAC Authentication to
SHA256
or higher. - Click Apply.
- Set Encryption Cipher to
After applying the settings (this may take a few moments), the router will generate new CA and client certificates.
You can verify the new certificates via Telnet:
1
2
3$ openssl x509 -noout -text -in /jffs/openvpn/vpn_crt_server1_ca | grep "Signature Algorithm"
$ openssl x509 -noout -text -in /jffs/openvpn/vpn_crt_server1_crt | grep "Signature Algorithm"
$ openssl x509 -noout -text -in /jffs/openvpn/vpn_crt_server1_client_crt | grep "Signature Algorithm"
Re-generate CA Certificates by Local
Install the OpenSSL:
Linux (usually pre-installed)
1
2# Ubuntu
$ sudo apt install opensslMAC (usually pre-installed, or install via Homebrew)
1
$ brew install openssl
Windows
Download and install from Open Official.
Create a config file for OpenSSL generation (e.g. named it
openvpn.conf
):1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19[req]
prompt = no
default_md = sha512
default_bits = 2048
distinguished_name = dn
x509_extensions = v3_req
[dn]
C = TW
ST = TW
L = Taipei
O = ASUS
CN = RT-AC1500_PLUS
emailAddress = [email protected]
[v3_req]
basicConstraints = CA:true
keyUsage = digitalSignature, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign
extendedKeyUsage = serverAuth, clientAuthExecute command for generation:
1
2
3$ openssl req -new -newkey rsa:2048 -sha512 -days 3650 -nodes -x509 -keyout server.key -out server.crt -config openvpn.conf
$ openssl req -new -newkey rsa:2048 -sha512 -days 3650 -nodes -x509 -keyout ca.key -out ca.crt -config openvpn.conf -CA server.crt -CAkey server.key
$ openssl dhparam -out dh.pem 4096and there will generate 5 files:
- ca.crt
- ca.key
- dh.pem
- server.crt
- server.key
Paste ca.crt/ dh.pem/ server.crt/ server.key on the dialog each Certificate Authority/ Server Certificate/ Server Key/ Diffie Hellman parameters where at VPN > VPN Server > OpenVPN > Authorization Mode > Content modification of Keys & Certification.
Click Apply.
Final Notes
- After regenerating the certificates, download a new
client.ovpn
file from the router’s web UI and import it into your OpenVPN client. - Make sure the OpenVPN client app is up-to-date to support modern cryptographic standards.
By following these steps, you can securely resolve the ca md too weak
error and enhance the overall security of your VPN setup.