• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Trouble chaining CAs when generating PFX

ACME
1
1
234
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    dono
    last edited by dono Apr 7, 2023, 3:50 AM Apr 7, 2023, 3:47 AM

    I have been using the Acme plugin for a few years without any issues. It generates a wildcard certificate that I am able to use on multiple servers. Recently though I ran into a problem though when trying to generate a signed PFX.

    1. Export the certificate and private key from System / Certificate Manager / Certificates.
    2. Download the intermediate and root CA certificates from System / Certificate Manager / CAs.
    3. Combine the intermediate and root CA certificate into a file.
    type "Acmecert_+O=Let's+Encrypt,+CN=R3,+C=US.crt" "Acmecert_+O=Internet+Security+Research+Group,+CN=ISRG+Root+X1,+C=US.crt" > cachain.pem
    1. Generate PFX certificate:
    openssl pkcs12 -export -in <certificate> -inkey <private key> -chain -CAfile cachain -passout pass:<password> -out <PFX file>

    This produces an error:
    Error loading file cachain.pem

    Opening the file, I notice that there is no new line between the two concated certificates:
    -----END CERTIFICATE----------BEGIN CERTIFICATE-----
    Can pfSense be improved to export certificates with a final line feed at the end?

    So I manually add one and re-save.
    Re-running the above command has a new error:
    Error unable to get issuer certificate getting chain.

    So I dumped each PEM certificate to follow the chain:

    openssl x509 -in <PEM certificate> -noout -text

    Leaf issuer:
    Issuer: C = US, O = Let's Encrypt, CN = R3

    Intermediate:
    Subject: C = US, O = Let's Encrypt, CN = R3
    Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1

    Root:
    Subject: C = US, O = Let's Encrypt, CN = R3
    Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1

    The Subject and Issuer do not match, so this is not really the root.
    Here are the reference certificates:
    Apparently this "ISRG Root X1" is the certificate cross-signed by DST root CA X3.
    This "ISRG Root X1" though is not contained in the CA list.
    I think it would make more sense if the CA listed the self-signed ISRG Root X1.
    PEM link:
    TXT link:
    Otherwise it should include the DST Root CA X3 self-signed certificate.

    My workaround for this is to manually download the CA certificates rather than use those listed in System / Certificate Manager / CAs.

    curl -o lets-encrypt-r3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem
curl -o isrgrootx1.pem https://letsencrypt.org/certs/isrgrootx1.pem

    And then combine these for use in the certificate chain:

    type lets-encrypt-r3.pem isrgrootx1.pem > cachain.pem

    This also resolves the missing line feed between the certificates.

    1 Reply Last reply Reply Quote 0
    1 out of 1
    • First post
      1/1
      Last post
    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.