Client key usage extension verification required?
Server certificate may not specify key usage extension, but clients may require it.
My OpenVPN client, version 2.4.7, refused to establish a VPN connection to a server because the server's certificate did not specify a key usage extension.
I ended up removing remote-tls-cert server
from my client configuration file. Then the server certificate was verified, and VPN connected ok. Does this option need to be specified on the client at all? There seems to be some security benefit for the clients. For an in-depth review see https://www.v13.gr/blog/?p=386