Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Certificate Manager only exports insecure P12 Server certificates

    Scheduled Pinned Locked Moved ACME
    4 Posts 3 Posters 1.3k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B Offline
      bigtfromaz
      last edited by bigtfromaz

      I am trying to use the pfSense certificate manager as a convenient place to create and manage certificates for my local network. When I export a server certificate in P12 format the UI does not let me choose a password. I need to import that certificate and private key into a Docker image running a Spring app using Java keytool. However keytool is asking for a password and I have no idea what it is. I tried " " and "" with an without quotes and it fails every time.

      So, it appears that pfSense is exporting an unprotected file and keytool wants nothing to do with unprotected P12 files.

      The export process on pfSense seems deficient in this regard. It should ask for a password and if the person exporting the certificate and key wants to set an empty password, or make it unprotected, let them. Emitting insecure files containing private keys as the only choice seems less than optimal.

      I am posting here to see if there is a solution i don't know about before switching to a different certificate manager.

      There is no need to suggest working around the problem with an internal proxy. I saw a post from 8 months ago on this and don't need a new layer of complexity to work around the limitation.

      1 Reply Last reply Reply Quote 0
      • johnpozJ Online
        johnpoz LAYER 8 Global Moderator
        last edited by

        what would a proxy have to do with it??

        You can always put a password in your p12 with openssl.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

        1 Reply Last reply Reply Quote 0
        • N Offline
          Napsterbater
          last edited by Napsterbater

          Found this.

          https://stackoverflow.com/questions/20904657/using-a-p12-file-without-a-password-in-java

          open­ssl pkcs12 -in cert.p12 -out temp.pem -passin pass: -passout pass:temppassword
          open­ssl pkcs12 -export -in temp.pem -out cert-final.p12 -passin pass:temppassword -passout pass:newpa­>ssword
          rm -f temp.pem

          B 1 Reply Last reply Reply Quote 1
          • B Offline
            bigtfromaz @Napsterbater
            last edited by

            @napsterbater Thanks for the response. I found that post before posing my question here. The issue is that this solution required the installation of a different certificate manager.

            What follows is not a complaint but an observation. It is now clear to me that the pfSense Certificate Manager is designed to import and export certificates needed by the router. It's a great router. We really shouldn't need it to be a CA as well.

            So I installed OpenSSL and used it to recreated all my certs, replacing the old ones as needed. We no longer generate certificates in the pfSense Certificate Manager.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.