Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    System - Certificates using an ICA or CA generated by pfSense

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 4 Posters 260 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pfpcorey
      last edited by

      As I have used pfSense to create a Certificate Authority and Intermediate CA, I noticed that when any CSR is signed "dataEncipherment" is not an option I can pick. The defaults seems to use the extension "nonRepudiation, digitalSignature, keyEncipherment" for any certificate request. The openssl.cnf located @ /usr/local/share/pfSense/ssl/openssl.cnf does not include dataEncipherment.

      As I read elsewhere within this forum /etc/ssl/openssl.cnf is copied over during the boot up. I was hoping to make the request as I create the CSR, but the web ui does not offer that option -- the Certificate Attributes are

      The github link does not have it set Certificate Type and Alternative Names.

      Look at https://github.com/pfsense/pfsense/blob/master/src/usr/local/share/pfSense/ssl/openssl.cnf The option is not set.

      ironically when ACME create a certificate the option is set.

      i was not user if I edit /usr/local/share/pfSense/ssl/openssl.cnf would that additional extension be kept or revert back to its original value.

      GertjanG johnpozJ 2 Replies Last reply Reply Quote 0
      • GertjanG
        Gertjan @pfpcorey
        last edited by Gertjan

        @pfpcorey said in System - Certificates using an ICA or CA generated by pfSense:

        i was not user if I edit /usr/local/share/pfSense/ssl/openssl.cnf would that additional extension be kept or revert back to its original value.

        The time stamp of that file on my pfSense is from months a ago, so probably put in place when pfSense was installed. So, feel free to edit.

        Btw : be aware for side effects ... make a backup ?

        @pfpcorey said in System - Certificates using an ICA or CA generated by pfSense:

        ironically when ACME create a certificate the option is set.

        ACME doesn't create certificats.
        It's Letsencrypts, that ends them over the pfSense ACME package.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          Yeah, it may well be overwritten at a firmware upgrade. If you make your changes as a diff file you can apply it with the system patches package and then just re-aaply it after an upgrade.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @pfpcorey
            last edited by

            @pfpcorey So you say lets encrypt has started doing this?? From this I would think not

            https://community.letsencrypt.org/t/ssl-data-encipherment/133750

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              Hmm, interesting. Not really any other mention of it I can find. I guess that might explain why.

              1 Reply Last reply Reply Quote 0
              • P
                pfpcorey
                last edited by

                i agree with backing up any of the files that are changed.

                The openssl.cnf file edits was something I did not see many topics within this forum.

                As I was comparing a signed CSR using a customer ICA/CA generated from the pfSsense web UI against ACME, I wanted to ask this question.

                The signed certificate has an intended use within Cockpit within a number of server (not connected to the internet). Naturally the environment will have a different CA generated.

                While the signed CSR from pfsense works well for Apache, Nginx, HAproxy, etc, other applications were not as accepting. I did add my ICA/CA chain to the server's OS. This lead to me to check out the options in the openssl itself (to see what pfSense uses).

                Thank you for the responses. I was going to attempt to edit the openssl.cnf and try that.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.