OpenSSL Error 0A00018E SSL routines ca md too weak

Posted on

Introduction

After enabling the OpenVPN server on an ASUS router, the exported client.ovpn file may trigger the following error in the OpenVPN client on Android:

1
OpenSSL: error:0A00018E:SSL routines:SSL_CTX_use_certificate:ca md too weak

This issue occurs because the CA certificate uses the SHA1 signature algorithm, which is outdated and considered insecure. Consequently, the OpenVPN client refuses to accept it.

There are two possible solutions:

  1. Insecure (Not Recommended): Allow weak CA certificates.
  2. Recommended: Renew the CA certificate using a stronger signature algorithm (e.g., SHA256 or higher).

Allowing weak certificates may expose your connection to man-in-the-middle (MITM) attacks or other vulnerabilities.

This guide walks you through the recommended solution.

Accessing the ASUS Router via Telnet

  1. Install a Telnet client on your Windows system (e.g., MobaXterm, PuTTY),
    or enable it via:
    Control Panel > Programs > Turn Windows features on or off > Telnet Client.

  2. Use the following command to log in to your router:

    1
    $ telnet <ROUTER_IP>

    Tip: The router’s IP address is usually 192.168.x.1.

Re-generate CA Certificates by Router

Removing Old CA Certificates

  1. Check the current certificate details to identify the signature algorithm:

    1
    2
    3
    $ openssl x509 -noout -text -in /jffs/openvpn/vpn_crt_server1_ca         | grep "Signature Algorithm"
    $ openssl x509 -noout -text -in /jffs/openvpn/vpn_crt_server1_crt        | grep "Signature Algorithm"
    $ openssl x509 -noout -text -in /jffs/openvpn/vpn_crt_server1_client_crt | grep "Signature Algorithm"

  2. Look for the Signature Algorithm field.
    If it shows sha1WithRSAEncryption, you should remove and regenerate the certificates.

  3. You can list all certificate files for inspection:

    1
    $ ls -l /jffs/openvpn/

    (Avoid using wildcards with openssl directly, as it may not handle them reliably.)

Renewing CA Certificates via Web Interface

  1. Open a browser and log in to your router’s web interface (e.g., https://www.asusrouter.com).

  2. Navigate to:

    VPN > OpenVPN > Advanced Settings

  3. If the Generate a new certificate option is available:

    • Select Generate a new certificate.
    • Click Apply.

  4. If that option is not available, manually configure the security settings:

    • Set Encryption Cipher to AES-256-CBC.
    • Set HMAC Authentication to SHA256 or higher.
    • Click Apply.

  5. After applying the settings (this may take a few moments), the router will generate new CA and client certificates.

  6. You can verify the new certificates via Telnet:

    1
    2
    3
    $ openssl x509 -noout -text -in /jffs/openvpn/vpn_crt_server1_ca         | grep "Signature Algorithm"
    $ openssl x509 -noout -text -in /jffs/openvpn/vpn_crt_server1_crt        | grep "Signature Algorithm"
    $ openssl x509 -noout -text -in /jffs/openvpn/vpn_crt_server1_client_crt | grep "Signature Algorithm"

Re-generate CA Certificates by Local

  1. Install the OpenSSL:

    • Linux (usually pre-installed)

      1
      2
      # Ubuntu
      $ sudo apt install openssl

    • MAC (usually pre-installed, or install via Homebrew)

      1
      $ brew install openssl

    • Windows

      Download and install from Open Official.

  2. Create a config file for OpenSSL generation (e.g. named it openvpn.conf):

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    [req]
    prompt = no
    default_md = sha512
    default_bits = 2048
    distinguished_name = dn
    x509_extensions = v3_req

    [dn]
    C = TW
    ST = TW
    L = Taipei
    O = ASUS
    CN = RT-AC1500_PLUS
    emailAddress = [email protected]

    [v3_req]
    basicConstraints = CA:true
    keyUsage = digitalSignature, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign
    extendedKeyUsage = serverAuth, clientAuth

  3. Execute command for generation:

    1
    2
    3
    $ openssl req -new -newkey rsa:2048 -sha512 -days 3650 -nodes -x509 -keyout server.key -out server.crt -config openvpn.conf
    $ openssl req -new -newkey rsa:2048 -sha512 -days 3650 -nodes -x509 -keyout ca.key -out ca.crt -config openvpn.conf -CA server.crt -CAkey server.key
    $ openssl dhparam -out dh.pem 4096

    and there will generate 5 files:

    • ca.crt
    • ca.key
    • dh.pem
    • server.crt
    • server.key

  4. Paste ca.crt/ dh.pem/ server.crt/ server.key on the dialog each Certificate Authority/ Server Certificate/ Server Key/ Diffie Hellman parameters where at VPN > VPN Server > OpenVPN > Authorization Mode > Content modification of Keys & Certification.

    authorization-mode

  5. Click Apply.

Final Notes

  • After regenerating the certificates, download a new client.ovpn file from the router’s web UI and import it into your OpenVPN client.
  • Make sure the OpenVPN client app is up-to-date to support modern cryptographic standards.

By following these steps, you can securely resolve the ca md too weak error and enhance the overall security of your VPN setup.