In June 2023 ovpnmain.cgi was updated to take into account the move to Openssl-3.x by the addition of the -legacy option into the openssl commands. The same action was taken by myself with vpnmain.cgi. Subsequently an update was made to ovpnmain.cgi that only added the -legacy option if the certificate that had been created was a legacy version. This update was not subsequently put into vpnmain.cgi, so all certificates produced are legacy ones, even if the root/host certificates for the ipsec page have been created with openssl-3.x
I have done a test of removing the -legacy option from line 2218 in vpnmain.cgi Creating a new client certificate then ended up with a non legacy version that had the MAC: sha256 message in it indicating that it was not legacy based. I will go though the vpnmain.cgi and modify all appropriate entries to only use -legacy if the involved .p12 file was legacy based. This should only happen if users are still using a root/host x509 certificate set that was created before openssl-3.x was installed, or from a restore from an old backup or from an uploaded root/host certificate set that was created with openssl-1.x