PFSense UI not detecting externally created certs as server certs

mephmanx

Correct, they are created outside of PFSense using OpenSSL and then set during the install. Here is the config of the server cert:

##Required
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = v3_vpn_server
prompt = no

##About the system for the request. Ensure the CN = FQDN
[ req_distinguished_name ]
commonName = $host_name.$INTERNAL_DOMAIN_NAME
countryName = $COUNTRY
stateOrProvinceName = $STATE
localityName = $LOCATION
organizationName = $ORGANIZATION

##Extensions to add to a certificate request for how it will be used
[ v3_vpn_server ]
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = critical, serverAuth
subjectAltName = @alt_vpn_server

##The other names your server may be connected to as
[alt_vpn_server]
DNS.1 = $host_name
DNS.2 = $host_name.$INTERNAL_DOMAIN_NAME
DNS.3 = *.$INTERNAL_DOMAIN_NAME

stephenw10

It's the 'purpose' flags set on the cert. For example on a cert created in pfSense:

steve@steve-MMLP7AP-00 /tmp/mozilla_steve0 $ openssl x509 -noout -purpose -in FreeRADIUS+Server+Certificate.crt 
Certificate purposes:
SSL client : No
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No

Though as I understand it most things ignore this so it's unlikely you would see an issue using that cert for the pfSense webgui.

mephmanx

@stephenw10 Dont know if you got my response to this...I think I replied via email and Im not sure if that works. I did find some things to clean up in my cert creation process but I still havent been able to get this flag to show up. I use openssl to create my certs...do you know what switch on openssl to use or if there is a value in the config or x509 settings that would kick this off? It dosent seem like its a big deal...things seem to work but would be nice to get everything to line up. Thank you for taking a look though!

stephenw10

My understanding is that the flag is largely deprecated which is why it works fine and most things ignore it.
I've never really tried but I would expect to be able to set that if you're creating it with openssl.

Steve

mephmanx

@stephenw10 Thats what Im looking for is the flag for openssl...I cant seem to find it anywhere. It dosent seem like its used much..would just like to find it so the UI looks right.

stephenw10

Hmm, I guess I would start digging here:
https://github.com/pfsense/pfsense/blob/master/src/etc/inc/certs.inc#L688

mephmanx

@stephenw10 Wow, I think thats it! perfect! I was just adjusting those attributes for something else and I think I need that attribute for the VPN sever actually...was having issues with that. Great timing, thanks!

stephenw10

Ha, lucky!

mephmanx

@stephenw10 I have this working correctly now! Thank you so much for your help!

stephenw10

Ah, nice! What was the required incantation?

mephmanx

@stephenw10 I needed to add server into the nsCertType and serverAuth into extendedKeyUsage in the x509 extensions but need to add the x509 extensions as a command line arg to openssl, adding them into the config file dosent seem to work. Have to create it this way:

openssl x509 -CAcreateserial -req -days 7300
-in $cert_dir/$cert_name.csr
-CA $cert_dir/id_rsa.crt
-CAkey $cert_dir/id_rsa
-passin pass:$ca_pwd
-sha256
-extfile <(printf "$extFile")
-out $cert_dir/$cert_name.crt

the -extfile get the contests of the x509 stuff.