How to add an imported ca's private key afterwards (edit: ca 2x in the config?)
-
Wow, thanks jimp for the fast answer!
I will try that!
Thanks!
-
Hmm sorry I got another question about the config:
Why do the ca certificate and private key data exist 2 times in the config?
Also what about the serial tag regarding the ca?The internal ca certificate data have a serial of 25 at the first place in the config and a serial of 26 at the second (at the bottom of the file).
When I was to add that private key to the external ca, would I also need to add it 2 times and add a serial tag (which doesn't exist yet for this imported ca)?
Thank you!
-
It shouldn't exist twice in the config.
If you see it under <system>, that should have been removed when I relocated the certificate code out from under there. Those entries are no longer used and can be deleted.</system>
-
ok thanks, but what about the serial tag? Why is there a serial for the internal ca and none for the imported one?
-
Can I delete any <cert>tags under system or just the ca ones?</cert>
-
I'd have to trace back through the code again to remember that one. I think it was something of a revision tag, but you can probably add one safely as "1". It isn't a unique ID, that's the refid, so the serial isn't used for significant things like that.
You can delete any <ca>, <cert>, or <crl>tags under <system>.</system></crl></cert></ca>
-
This was stuck in my inbox, haunting me, but I finally managed to work up a fix.
https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/bfa992bc4eb8f8674f44b94e8617a032854356e9
You should be able to edit CAs and add private keys now.
-
Thank you jimp!
This is great! At least for me it's very useful since I have some imported CA's left from the time where you couldn't import priv.keys.
Also if you changed your mind and wanted to add the priv key later.. it's a great feature.Thank you!
-
Just remember when importing a CA to check what your highest certificate serial number is and set it in the GUI as appropriate, so you don't get certificates with overlapping serials. (It makes revoking them a PITA)
-
Thnx I'll watch out and try it out once I can upgrade the box.