Digital signed Certificate error in pfsense
-
Can you post the full certificate details? You can mask or remove identifying text.
-
Snapshot attached for your reference.
please helpRegards,
Noor.
-
Dear can you please forward this serious issue to developers of pfsense as per my understanding this is the bug in pfsense.
Regards,
Noor. -
Can you just PM me the PEM certificate so I can run it through OpenSSL and see what's really there?
Thanks.
-
please check your PM
-
Certificate in question does not contain the nsCertType: SSL Server attribute.
-
i am using this certificate for pfsense web configurator which is working fine with port 443 if it is working fine for pfsense web configurator that means this is SSL server certificate
please do correct if i am wrong.
also give me some clue so that i can discuss this with certificate issuer technical team as they are saying that is server certificate.your support will be highly appreciated.
Regards,
-
Dear Derelict
I have received answer from certificate issuer .
Please attention “Extended Key Usage” attribute :
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication“TlS Web Server Authentication” mean that it’s a SSL Server certificate.
please advise.
-
Those are two different attributes.
"TLS Web Server Authentication" is not the same as "nsCertType: SSL Server"
Only "nsCertType: SSL Server" indicates a "Server Certificate".
Though there are cases that require one, the other, or both. (e.g. IKEv2)
-
Dear Jimp,
I have received reply from certificate authority which is mentioned as below.
" In fact ,the “Netscape Cert Type: SSL Server attribute” don’t have practical applications. So our SSL certificate had discarded it.
I regret to that we can’t adding it.
Dear Jimp please advise what is your opinion i want to resolve that issue because it is very important for me. without this i am unable to activate transparent proxy with the help of certificate in pfsense .
-
That's between you and the certificate issuer. Nothing we can do there.
The real question now is: Exactly what purpose are you attempting to use the certificate for that does not work?
"nsCertType = SSL Server" is used for OpenVPN, certainly, but you would not want to use an externally-issued certificate structure for OpenVPN.
And for SSL interception with a transparent proxy, you'd also need your own self-signed CA structure, not an externally-issued certificate.
-
Dear Jimp,
yes i want to use this for SSL interception with a transparent proxy and i have used internal CA structure which is working fine except one issue which is some sites are identified self signed certificate and not working.
I have already added certificate in local systems certificate and in web browser and google, yahoo, etc all sites are working fine with https but only some sites identified the self signed certificate and then i decided to go with digital signed certificate and when i added this digital certificate my squid and squid guard services became stopped. -
You cannot use a certificate like that to do SSL interception. Like jimp said you need a local CA.
SSL interception works by dynamically creating a certificate with the CN/SAN of the site the user is trying to reach and presenting that to the user instead of the site's real certificate.
You cannot do that if you do not possess the private key for the CA to sign the certificates as you create them.
Chances are you do not possess the private key for that certificate authority.
-
Thanks to All of you to start great discussion and helped me out with logical answer.
Regards,
Noor.
