Is anyone using pfSense as a Certificate Authority for their Own Network?
-
I created a root CA, and an intermediate CA signed by that root for my pfSense box. I then created a server certificate for my TrueNAS box which is signed by the Intermediate CA. I imported the Server Cert to the TrueNAS box, and then imported the root CA cert to firefox (on Linux). When I accessed the TrueNAS box, the cert wasn't trusted. I had to import the intermediate CA to firefox before https was possible with TrueNAS.
I thought that was the point of having a root/intermediate CA. The root passed trust to the intermediate, and the intermediate didn't need to be in the browser.
Am I doing something wrong? Is my understanding wrong? or Is it possible that the Server cert that I am creating with pfSense isn't being created correctly so as to properly indicate it was signed by the root which is in the FF trust store.
-
So you created the server cert from the intermediate CA in pfSense?
What error does the browser actually show? What does it say about the certificate?
-
@stephenw10 said in Certificate Authority Question:
So you created the server cert from the intermediate CA in pfSense?
@stephenw10 Thanks for the reply. Yes, I used the intermediate CA to sign the server cert.What error does the browser actually show? What does it say about the certificate?
Unfortunately the messages are not very helpful. Firefox is working because I imported the Intermediate CA. When I repeat this with Chromium I get a very similar message:
Chromium Browser Your connection is not private Attackers might be trying to steal your information from freenas.pvt (for example, passwords, messages or credit cards). Learn more NET::ERR_CERT_AUTHORITY_INVALID To get Chrome’s highest level of security, turn on enhanced protection This server could not prove that it is freenas.pvt; its security certificate is not trusted by your computer's operating system. This may be caused by a misconfiguration or an attacker intercepting your connection. Proceed to freenas.pvt (unsafe)When I view the Details tab of the internal certificate viewer, the Certificate Hierarchy tab doesn't show either the intermediate or the root certificate as part of the chain.
Did I generate either the intermediate or server key incorrectly. I don't seem to have a chain of trust back to the root.
Any suggestions would be much appreciated.
List of Root from pfSense WebUI Serial: 0 Subject Key ID: 48:A6:[ROOT_CA_ID]:E8:3C Authority Key ID: keyid:48:A6:[ROOT_CA_ID]:E8:3C Intermediate CA (from pfSense WebUI) Serial: 3 Subject Key ID: AF:73:[INTERMEDIATE_CA_ID]:67:EE Authority Key ID: keyid:48:A6:[ROOT_CA_ID]:E8:3C FreeNAS GUI Cert (from pfSense WebUI) Serial: 40 EKU: TLS Web Server Authentication, TLS Web Client Authentication, IP Security IKE Intermediate Subject Key ID: 06:D9:[FreeNAS_GUI_Cert]:49:D2 Authority Key ID: keyid:AF:73:[INTERMEDIATE_CA_ID]:67:EE FreeNAS GUI Cert (from openssl x509 --text) Certificate: Serial Number: 40 (0x28) X509v3 extensions: Netscape Cert Type: SSL Server X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Subject Key Identifier: 06:D9:[FreeNAS_GUI_Cert]:49:D2 X509v3 Authority Key Identifier: keyid:AF:73:[INTERMEDIATE_CA_ID]:67:EE -
@stephenw10 - Update: I did a bit of research and have done my best to examine the certificates.
I understand the principles of Chain of Trust, but I'm very fuzzy using openssl and different file formats. I'm hoping that someone who really understands this might be able to give me some hints.
Given that it's a security cert I've done a bit of redaction-[SERVERNAME] matches the intended installation server-IIUC this is the only important element - Location, Organization, etc. are arbitrary.
It appears that the Intermediate Certificate has been generated correctly unless I'm missing something.
$ openssl verify -CAfile Root+CA.crt Intermediate+May2017.crt Intermediate+May2017.crt: OKI don't know if I've done this correctly, but IIUC either the certificate has been generated incorrectly (my error or pfSense error), or I am not doing the verify correctly.
$ openssl verify -CAfile Root+CA.crt GUI.crt CN = [SERVERNAME], C = CA, ST = PRIVATE, L = PRIVATE, O = PRIVATE, OU = PRIVATE error 20 at 0 depth lookup: unable to get local issuer certificate error GUI.crt: verification failedIf I have done this correctly, this is what is in the certificate contains:
$ openssl x509 -in GUI.crt -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 40 (0x28) Signature Algorithm: sha256WithRSAEncryption Issuer: C = CA, ST = PRIVATE, L = PRIVATE, O = PRIVATE, emailAddress = nobody@nowhere, CN = INTERMEDIATE_MAY2017, OU = PRIVATE Validity Not Before: Aug 8 23:50:17 2021 GMT Not After : Sep 8 23:50:17 2022 GMT Subject: CN = [SERVERNAME], C = CA, ST = PRIVATE, L = PRIVATE, O = PRIVATE, OU = PRIVATE Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (4096 bit) Modulus: 00:ad:81:67:47:bb:eb:b6:82:48:c2:fe:d8:74:72: [REDACTED] c4:1e:b5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server X509v3 Key Usage: Digital Signature, Key Encipherment Netscape Comment: OpenSSL Generated Server Certificate X509v3 Subject Key Identifier: 06:D9:[REDACTED]:49:D2 X509v3 Authority Key Identifier: keyid:AF:73:[REDACTED]:67:EE DirName:/C=CA/ST=PRIVATE/L=PRIVATE/O=PRIVATE/emailAddress=nobody@nowhere/CN=ROOT/OU=PRIVATE serial:03 X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication, 1.3.6.1.5.5.8.2.2 X509v3 Subject Alternative Name: DNS:[SERVERNAME] Signature Algorithm: sha256WithRSAEncryption ae:f2:9b:58:6e:fa:67:d6:e7:a5:58:0e:ab:3b:07:e5:a2:ad: [REDACTED] 12:9e:ad:84:5b:93:75:d9There is also a p12 cert, but I'm not sure if this is useful or not.
$ openssl pkcs12 -in GUI.p12 -info -nokeys Enter Import Password: (NOTE: NO PASSWORD-<CR> ENTERED) MAC: sha1, Iteration 1 MAC length: 20, salt length: 8 PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048 Certificate bag Bag Attributes localKeyID: 84 13 [REDACTED] 37 A9 friendlyName: GUI subject=CN = [SERVERNAME], C = CA, ST = PRIVATE, L = PRIVATE, O = PRIVATE, OU = PRIVATE issuer=C = CA, ST = PRIVATE, L = PRIVATE, O = PRIVATE, emailAddress = nobody@nowhere, CN = INTERMEDIATE_MAY2017, OU = PRIVATE -----BEGIN CERTIFICATE----- MIIHBTCCBO2gAwIBAgIBKDANBgkqhkiG9w0BAQsFADCBnDELMAkGA1UEBhMCQ0Ex [REDACTED] 5XTMxcAFL29PEI58YHNsJCsSnq2EW5N12Q== -----END CERTIFICATE----- Certificate bag Bag Attributes: <No Attributes> subject=C = CA, ST = PRIVATE, L = PRIVATE, O = PRIVATE, emailAddress = nobody@nowhere, CN = INTERMEDIATE_MAY2017, OU = PRIVATE issuer=C = CA, ST = PRIVATE, L = PRIVATE, O = PRIVATE, emailAddress = nobody@nowhere, CN = ROOT, OU = PRIVATE -----BEGIN CERTIFICATE----- MIIInzCCBIegAwIBAgIBAzANBgkqhkiG9w0BAQ0FADCBjDELMAkGA1UEBhMCQ0Ex [REDACTED] JbwS -----END CERTIFICATE----- PKCS7 Data Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048 -
Is anyone using pfSense as a CA (with an intermediate CA) for their home network and have those certs trusted by their own browsers? Any hints would be much appreciated.
There seems to be a trend to using Let's Encrypt because it is easy/convenient, but I remember @jimp talking about certs (in the context of VPNs, but I think the same thing applies to a private-for family use only network) and suggesting that using Let's Encrypt exposes an extra attack surface unnecessarily.
My isp gives out a very unfriendly (but for my purposes usable) subdomain which I can use for access. I'd like to be able to sign my own certs for it and have them trusted by my devices. A lot of container apps won't function properly unless they are https, so https is becoming a must do, not just a good to do.
It would seem to me that participating in any public pki/dns system is an invitation to inspection. While relying on security by obscurity i is not a good strategy, it's always a good thing if attackers aren't even looking.
-
@guardian I have been doing this for years and years.. While I don't see the need of intermediate CA setup.. This is only certs for my stuff, and its all on my secure/trusted home network anyway..
I just have CA created in pfsense - and then create certs for my own use on different things. Switch gui, printer gui, unifi controller gui, nas gui, etc..
Some of them are grandfathered from before the browsers got picky about lifetime of the cert, etc. So a few of mine are set to be good for 10 years, etc.
I have put up some threads with details on how to do and get your browser to trust the CA a few times over the years. But yeah I see this is way better than using acme - since my devices/browsers are really the only thing that will ever access these web interfaces.
I do use acme via haproxy to provide some https to users of my plex request site, etc. But this is accessed via a public domain and I have no control over the users browsers, etc. If my users were not your typical user idiots - I would get them just trust my CA, but that is asking a lot ;) hehe So just use acme there.
I really don't see a "need" for even using https for the gui for say my printer or switches, etc. since its all just local traffic over my own private network - but browsers complain these days if not https..
Another big advantage I see vs acme certs is I can just add san entries to the certs for their rfc1918 address etc. And use my own local domain (which at some point will move over to the home.arpa but currently is just local.lan).. I don't ever see using acme for my local needs of https interfaces.. Unless browsers outside my control would need access to them.
-
@johnpoz Any chance you can link the posts or a guide, this is something I need to do, inclusive of plex / printers etc but haven't got around to yet.
Sorry OP not trying to hijack your thread, just interested.
-
@redsector73 let me see if can dig up one of the older threads that has the pics still there..
If not can put together another one.
edit: here is one from 2019
https://forum.netgate.com/post/831783 -
Thank you @johnpoz for taking the time to write such a detailed reply.
Do you know if pfSense can create a certificate that is signed by an Intermediate CA that is trusted due to chain of trust to a Root CA?
I have managed to get FF to work by importing the the intermediate cert into firefox, but if I just import the root CA it doesn't work. I just went back to revisit this and it looks like I didn't create my certificate correctly because when I execute openssl s_client -connect against my TrueNAS server with a server key created by pfSense, I only have the Intermediate CA in the certificate chain.
@johnpoz said in Is anyone using pfSense as a Certificate Authority for their Own Network?:
@guardian I have been doing this for years and years.. While I don't see the need of intermediate CA setup.. This is only certs for my stuff, and its all on my secure/trusted home network anyway..
@redsector73 said in Is anyone using pfSense as a Certificate Authority for their Own Network?:
@johnpoz Any chance you can link the posts or a guide, this is something I need to do, inclusive of plex / printers etc but haven't got around to yet.
Sorry OP not trying to hijack your thread, just interested.
@redsector73 So sweat - maybe I can help:
If you are on firefox:
Settings > Privacy & Security > Scroll down to Certificates- Click "View Certificates"
- Scroll to the bottom and click import
- Navigate to your CA Certificate (.crt file you have exported from pfSense)
- Click Open
Any certs you sign with that CA will be trusted by the browser (as long as you have created the certificate correctly)
On chromium there is a "Manage Certificates" under the Advanced Section of "Privacy and Security". I suspect that Google Chrome is very similar.
Hope this helps.
[I should have refreshed before sending this... I wrote this yesterday, but forgot to post - @johnpoz has a really great writeup in the link he just added to his previous post.]
