Remote Access SSL/TLS OpenVPN without CA on pfSense
-
Dude you have to create the ca
I created it exactly in this way but I didn't create server cert using this CA. I just created CSR and issued it on Windows Server PKI. Thanks mate! Testing now!
-
Your going to have to have that CA sign your cert you request.. Or just import the cert you create on your CA for it..
-
Your going to have to have that CA sign your cert you request..
Yes… Exactly
I imported CA public key in the same way as on your screenshot.
Then I created CSR: Cert Manager - Certificated - Add - Create a Certificate Signing Request
I exported *.req file, imported it into Windows Server CA, issued it and I exported base 64 of it...on pfSense I completed signing request by pasting base 64 into "Final certificate data" (I did it in past for SSL cert for Web GUI HTTPS and that works well)
-
Well dude how is it going to work when clearly it is NOT a server cert..
-
That means that I have to find out what is server cert for pfSense from the perspective of Windows Server CA. I tried several templates and they all have "Server Authentication" or server and "Client Authentication" but that probably is not enough for pfSense. I haven't found any specific Windows Server CA / pfSense guide so I will have to trial and error different configurations of template.
Thank you.
-
Pretty sure there is a "web server" template - I would guess that would be the template to use. I have not used windows based CA in long time.. But I do recall that template. What version of windows area you using? 2k8, 2k12 - new 2k16?
-
2012 R2 but this should not matter. Most of those templates are by default in 2003 version. When I try something new (for example in this case) I always start with the old one and when it works I try to "upgrade it" since new templates are better from security perspective. Funny that my SSL cert for GUI shows "Server: No" but works as expected ;-).
"Web Server" template is there… I will test it ASAP. Thank you.
-
Nope, still Server: No
I will try to create internal CA and server cert and export config. Then I will switch files in exported archive and try to connect. It might work since pfSense allows me to save Server configuration with "Server: No" certificate…
-
Did you managed to find out what a "Server" certificate is?
I am not using Windows Server CA but EJBCA and having the same issue: my certificate is treated as "Server: No" by pfSense. -
A server certificate has this attribute:
Netscape Cert Type:
SSL ServerThe following extensions are non standard, Netscape specific and largely obsolete. Their use in new applications is discouraged.
idk.
See Also: man x509v3_config
I am not 100% sure exactly what needs that to be present, but it's not pfSense. Maybe strongswan and openvpn.
You will probably find it easier to keep the certificates on pfSense so you can use the client export utility but there is no requirement to do so.
You do have to have the CA certificate installed on the firewall so openvpn can validate client certificates against it but you don't need the private key there unless you are going to generate/sign client certificates there.
You will need to import the certificate and key parts as the server cert but they do not have to be generated on pfSense.
