• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

SSL Cert Install

Scheduled Pinned Locked Moved Captive Portal
6 Posts 4 Posters 20.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    b00gz
    last edited by Oct 21, 2007, 4:00 PM

    I am going to purchase and install and SSL Cert from instantssl.com but I am unsure how to generate the CSR.  Likewise I am unsure how to install the cert after I do get it … I did do searching but got confused by what others were trying to accomplish.  If someone is willing to assist me with accomplishing this I want to make a Wink Tutorial for it for other users in the future.

    1 Reply Last reply Reply Quote 0
    • D
      dtran
      last edited by Nov 20, 2007, 4:05 PM

      Some information for you.
      This was done on m0n0wall so it should work with pfsense as well

      M0n0wall doesn't support SSL certificate chaining ( and therefore doesn't support the use of intermediate certificates), so you cant use a Certficiate Authority like GoDaddy or Verisign that require intermediate certificate chaining. To get around this, you will have to use a Certificate Authority that doesn't require the use of Intermediate Certificate chaining. In my case, I went with Thawte.com and used their SSL123 certificate. At the time of this writing, Thawte charges $150 a SSL certificate per year.

      Openssl.org can be installed on Windows or on Linux

      Generate a new key request

      /usr/bin/openssl genrsa -des3 -out mykey.key 1024

      This command generates a 1024 bit RSA private key and stores it in the file mykeykey. When prompted for a pass phrase: enter a secure password and remember it, as this pass phrase is what protects the private key. Both the private key and the certificate are required to enable SSL.

      M0n0wall requires the key to be in PEM format, so convert the private key we just generated into PEM Format

      Openssl rsa –in mykey.key –out mypemkey.key –outform PEM

      Generate the Certificate Request with this command

      /usr/bin/openssl req -new -key mykey.key -out mycsr.csr -config /usr/local/ssl/openssl.cnf

      Enter pass phrase for mykey.key:
      You are about to be asked to enter information that will be incorporated
      into your certificate request.
      What you are about to enter is what is called a Distinguished Name or a DN.
      There are quite a few fields but you can leave some blank
      For some fields there will be a default value,
      If you enter '.', the field will be left blank.
      –---
      Country Name (2 letter code) [AU]:yourcountrycode
      State or Province Name (full name) [Some-State]:yourstate
      Locality Name (eg, city) []:Los Angeles
      Organization Name (eg, company) [Internet Widgits Pty Ltd]:yourcompany
      Organizational Unit Name (eg, section) []:yourunitname
      Common Name (eg, YOUR name) []:myhost.mydomain.com                <–--enter your domain name here
      Email Address []:

      Please enter the following 'extra' attributes
      to be sent with your certificate request
      A challenge password []:
      An optional company name []:

      Please do not enter your email address, challenge password or an optional company name when generating the CSR.

      A public/private key pair has now been created. The private key (mykey.key) is stored locally on the server machine and is used for decryption. The public portion, in the form of a Certificate Signing Request (mycsr.csr), will be for certificate enrollment.

      Copy and past the contents of your  csr file into the enrollment form on Thawte’s webpage. The SSL certificate you need to buy from Thawte is called the SSL123 which doesn't require the use of Intermediate Certificates.

      Choose ApacheSSL as the webserver so that you get your SSL Certificate in a X.509 PEM format that M0n0wall will understand (Certificate from Thawte is already in PEM format)

      Put contents of (cut/paste)  intermediate certificate at the end of your certificate and save into the box.

      Now you need to upload any image files that were referenced in the html so that its stored locally, otherwise the end user will get prompted for files that are referenced outside the SSL

      1 Reply Last reply Reply Quote 0
      • B
        buraglio
        last edited by Dec 24, 2007, 3:02 PM

        Some important info:  Instantssl certs will still throw ssl errors unless you install the chain file.  Last I looked pfSense didn't support the chain through the gui (I had some patches but they were buggy).  It is possible to do throughthe cli with minimal effort.

        nb

        https://www.forwardingplane.net/

        1 Reply Last reply Reply Quote 0
        • D
          dtran
          last edited by Jan 7, 2008, 11:08 PM

          Yes, that's correct.
          I'm using godaddy cert and chain file is needed.
          Thank you

          1 Reply Last reply Reply Quote 0
          • B
            bubbanc
            last edited by Jan 9, 2008, 4:43 PM Jan 9, 2008, 2:39 PM

            @buraglio:

            Some important info:  Instantssl certs will still throw ssl errors unless you install the chain file.  Last I looked pfSense didn't support the chain through the gui (I had some patches but they were buggy).  It is possible to do throughthe cli with minimal effort.

            nb

            Can you elaborate on how you do this through the cli?  We have an ssl certificate signed by an intermediate, so we're getting the ssl errors for clients that don't explicitly trust the intermediate.

            Thanks,
            Brian

            1 Reply Last reply Reply Quote 0
            • D
              dtran
              last edited by Jan 10, 2008, 10:23 PM

              Look at this.  Just follow the instruction there.

              http://forum.pfsense.org/index.php/topic,2966.0.html

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                [[user:consent.lead]]
                [[user:consent.not_received]]