When creating self signed certificate, no prompts

markn6262

@johnpoz Thanks so much for all your help john, jimp, steven. Not quite the homecoming I was expecting.

markn6262

@jimp Threats don't go over well either. I think hijack is a bit strong for what I'm trying to do. Redirecting a customer's planned session that has not yet been established.

stephenw10

You might argue a self signed cert is actually better in that situation as it's obviously not the site you were trying to reach.

Vs a cert from a known CA but with the wrong host name.

Both produce an alarming error if you're not used to it though

Steve

markn6262

@stephenw10 I agree, probably the best. Probably good to deal an alarming site vs threats (just ribbing a bit jimp, I understand). I need to get their attention especially in the no-pay situation and perhaps even RIAA infractions. Was hoping to expand to outages to entire pool but doubtful I'll do that with cert prompts. I'll use it sparingly. Thanks again guys.

jimp

Well, the wrench is an old joke, but threats to the pocketbook also work. "If you unplug this device without authorization, it will result in a service charge of $$$$"

markn6262

@jimp Funny! Tried to keep it simple...

markn6262

@johnpoz Hey John, when I create a server CA and Cert within PfSense Certificate Manager I'm given the option of downloading a .crt and .key file but not a .pem. Can you instruct?

johnpoz

crt is just a pem file.. look at it..

markn6262

@johnpoz Ahhh, so just rename. Thanks.

markn6262

@johnpoz Unfortunately simply renaming doesn't fly.

root/: /usr/local/etc/rc.d/mini_httpd.sh start

34381057080:error:0906D06C:PEM routines:PEM_read_bio:no start line:/builder/pfsense-234/tmp/FreeBSD-src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pem/pem_lib.c:696:Expecting: ANY PRIVATE KEY
34381057080:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:/builder/pfsense-234/tmp/FreeBSD-src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:635:

johnpoz

I do not run that... But what I can tell you is the file you export is PEM... simple enough to test it with openssl.

Here I just created a cert for another thread.. Tested it..

stephenw10

Combine the cert and key in one file:

-----BEGIN PRIVATE KEY-----
keydatakeydatakeydatakeydatakeydatakeydatakeydatakeydata
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
certdatacertdatacertdatacertdatacertdatacertdatacertdatacertdata
-----END CERTIFICATE-----

At least that's what it looks like it's expecting.

Steve

markn6262

@stephenw10 Thanks Steve, even tho freebsd “openssl verify ...” said the pem was bad that did the trick.

stephenw10

It's been a while since I tested this but co-incidentally did today and in fact every browser I tested is able to detect a captive portal redirect and trigger some alert to login without some huge error screen. It won't do that with a port forward lik you're doing here.
Kind of scary from a security view but makes it slick for end users.

You would have to use it in some inverse way though. White-list all clients and remove those who need to see the redirect.

Steve

johnpoz

@markn6262 said in When creating self signed certificate, no prompts:

said the pem was bad that did the trick.

Then you got a bad copy or something in your download..

markn6262

Maybe I wasn't clear enough in my last post. Combining the cert and key files into a pem file works with mini_httpd as stephen suggested. I'm golden! It's just that freebsd openssl verify reports the pem file as bad, oddly enough. I've never got a pem to report good creating from a freebsd comand line or from within PfSense GUI.

johnpoz

Report good from where... I just showed you checking a pem file that was downloaded from the gui.. I don't use whatever app your using... But sure they can be finicky... Trying to get plex to use different cert for its domain was a whole freaking learning curve in itself..
"Custom certificate encryption key"
Thought they wanted the path to the key - no they wanted the "password" you put on the p12 file that you combined the cert and key file in, etc..

But have had zero issues using the CA manager and export certs and keys from it. I use the certs from there in multiple things. My switches, my unifi controller, my plex box, etc. etc. Certs for my windows machines for RDP, etc.. Its a great overall CA.. only thing is wish you could put passwords on your p12 when you export them..

markn6262

@johnpoz I was wondering if I needed to use to p12. I didn't and it worked fine simply combining the CERT and KEY in a PEM file with the mini_httpd daemon. The PEM file PfSense creates reports bad from PfSense command prompt using "openssl verify fiiename.pem", try it. I'm not using some app to check PEM integrity. Until this thread, I had no idea the PfSense Cert Manager could make them for apps other than PfSense itself. That's good to know.

johnpoz

where is the rest of your command? the pems you create are going to be your private CA.. so no its not going to be able to just the verify command you would have to call out the CA..

So for example checking the freerad server pem, with the CA file..

openssl verify -CAfile ca_cert.pem server_cert.pem
server_cert.pem: OK

markn6262

@johnpoz Google searches showed me the syntax I used. Apparently doesn't work for PfSense generated certs. The only cert files I find on the PfSense drive is for OpenVpn, nothing for Httpd. An OpenVpn folder has server2.ca .cert & .key. So I don't know how to translate your command to my situation. The only thing I know to try, as far as verification goes, is "openssl verify /etc/ssl/mini_httpd.pem" which reports;

/etc/ssl/mini_httpd.pem: CN = 127.0.0.1 CA
error 18 at 0 depth lookup:self signed certificate
OK