Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Digital signed Certificate error in pfsense

    Scheduled Pinned Locked Moved Cache/Proxy
    19 Posts 3 Posters 4.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jimpJ
      jimp Rebel Alliance Developer Netgate
      last edited by

      You'd have to run OpenSSL commands on the cert file itself to print out all of its properties and see what is set. Something simple like:

      openssl x509 -in certificate.crt -text -noout
      

      You could run that from a shell on pfSense, if you have a copy of the exported .crt on there somewhere. Easier to do on your workstation though.

      As for using a cert in a transparent proxy, that would be a problem for a different thread.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • N
        noor
        last edited by

        Yes i have followed above instructions
        in pfsense it is not showing server certificate OR User certificate
        but when i downloaded the certificate in windows and checked it is showing SSL server certificate included 20 names of my other server which is SAN certificate.

        interesting thing is that the SSL certificate working fine in pfsense for its web configurator but showing Server = No
        pfsense using this certificate for its web configurator which means this is SSL server certificate but when i checked in Cert manager it is showing server Certificate = No

        i think this is programming but with Digital signed certificate please look into this and help all of us to resolve that issue.

        Regards,

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          Can you post the full certificate details? You can mask or remove identifying text.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • N
            noor
            last edited by

            Snapshot attached for your reference.
            please help

            Regards,
            Noor.

            Snap01.jpg
            Snap01.jpg_thumb
            Snap02.jpg
            Snap02.jpg_thumb
            Snap03.jpg
            Snap03.jpg_thumb
            Snap04.jpg
            Snap04.jpg_thumb
            Snap05.jpg
            Snap05.jpg_thumb

            1 Reply Last reply Reply Quote 0
            • N
              noor
              last edited by

              Dear can you please forward this serious issue to developers of pfsense as per my understanding this is the bug in pfsense.

              Regards,
              Noor.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Can you just PM me the PEM certificate so I can run it through OpenSSL and see what's really there?

                Thanks.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • N
                  noor
                  last edited by

                  please check your PM

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    Certificate in question does not contain the nsCertType: SSL Server attribute.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • N
                      noor
                      last edited by

                      i am using this certificate for pfsense web configurator which is working fine with port 443 if it is working fine for pfsense web configurator that means this is SSL server certificate
                      please do correct if i am wrong.
                      also give me some clue so that i can discuss this with certificate issuer technical team as they are saying that is server certificate.

                      your support will be highly appreciated.

                      Regards,

                      1 Reply Last reply Reply Quote 0
                      • N
                        noor
                        last edited by

                        Dear Derelict

                        I have received answer from certificate issuer .

                        Please attention “Extended Key Usage” attribute :

                        X509v3 Extended Key Usage:
                                        TLS Web Client Authentication, TLS Web Server Authentication

                        “TlS Web Server Authentication” mean that it’s a SSL Server certificate.

                        please advise.

                        1 Reply Last reply Reply Quote 0
                        • jimpJ
                          jimp Rebel Alliance Developer Netgate
                          last edited by

                          Those are two different attributes.

                          "TLS Web Server Authentication" is not the same as "nsCertType: SSL Server"

                          Only "nsCertType: SSL Server" indicates a "Server Certificate".

                          Though there are cases that require one, the other, or both. (e.g. IKEv2)

                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          1 Reply Last reply Reply Quote 0
                          • N
                            noor
                            last edited by

                            Dear Jimp,

                            I have received reply from certificate authority which is mentioned as below.

                            " In fact ,the “Netscape Cert Type: SSL Server attribute” don’t have practical applications. So  our SSL certificate had discarded it.

                            I regret to that we can’t adding it.

                            Dear Jimp please advise what is your opinion i want to resolve that issue because it is very important for me. without this i am unable to activate transparent proxy with the help of certificate in pfsense .

                            1 Reply Last reply Reply Quote 0
                            • jimpJ
                              jimp Rebel Alliance Developer Netgate
                              last edited by

                              That's between you and the certificate issuer. Nothing we can do there.

                              The real question now is: Exactly what purpose are you attempting to use the certificate for that does not work?

                              "nsCertType = SSL Server" is used for OpenVPN, certainly, but you would not want to use an externally-issued certificate structure for OpenVPN.

                              And for SSL interception with a transparent proxy, you'd also need your own self-signed CA structure, not an externally-issued certificate.

                              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                              Need help fast? Netgate Global Support!

                              Do not Chat/PM for help!

                              1 Reply Last reply Reply Quote 0
                              • N
                                noor
                                last edited by

                                Dear Jimp,

                                yes i want to use this for SSL interception with a transparent proxy and i have used internal CA structure which is working fine except one issue which is some sites are identified self signed certificate and not working.
                                I have already added certificate in local systems certificate and in web browser and google, yahoo, etc all sites are working fine with https but only some sites identified the self signed certificate and then i decided to go with digital signed certificate and when i added this digital certificate my squid and squid guard services became stopped.

                                1 Reply Last reply Reply Quote 0
                                • DerelictD
                                  Derelict LAYER 8 Netgate
                                  last edited by

                                  You cannot use a certificate like that to do SSL interception. Like jimp said you need a local CA.

                                  SSL interception works by dynamically creating a certificate with the CN/SAN of the site the user is trying to reach and presenting that to the user instead of the site's real certificate.

                                  You cannot do that if you do not possess the private key for the CA to sign the certificates as you create them.

                                  Chances are you do not possess the private key for that certificate authority.

                                  Chattanooga, Tennessee, USA
                                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                  1 Reply Last reply Reply Quote 0
                                  • N
                                    noor
                                    last edited by

                                    Thanks to All of you to start great discussion and helped me out with logical answer.

                                    Regards,
                                    Noor.

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.