Certificate Issue

maldemer

I didn't use the PFSense cert manager because I'm actually generating two self-signed certs - a root CA cert and a server cert with multiple SANs. As far as I can see, the Web GUI is somewhat limited and doesn't include the ability to add SANs to a cert. Also, I'm familiar with using OpenSSL to generate certs in my daily work, although this cert is for my family network.

I did attempt to import it to the CA section - otherwise I wouldn't have the error I described "This doesn't appear to be a CA cert" that I mentioned in the original post.

The cert is to allow all my servers to be trusted in the network. Which means a single self-signed root cert and a self-signed server cert for each of my servers. That's why I'm using a multiple SAN server cert. By installing the CA cert in each of the family's systems, the servers will be trusted in network.

I have validated both my generated certs by using them on Linux and FreeNAS servers with Windows clients. My PFSense boxes (primary and failover) are the only places that are problematic because they will not import the CA cert.

KOM

Anything in the System log?

johnpoz

@maldemer said in Certificate Issue:

As far as I can see, the Web GUI is somewhat limited and doesn't include the ability to add SANs to a cert.

Not sure where your looking.. All of my certs I create have multiple SANs on them - for IPs and name, etc..

You would create the CA on pfsense, and then sign whatever sort of certs you want -- all in the simple to use gui.

How did you create your CA - what is the exact command you ran, and I will try and duplicate your issue here.. I have imported many a CA cert into the manager without any issues.

Which means a single self-signed root cert and a self-signed server cert for each of my servers.

No not really... You sure do not need to install the CA on any box that is just using your cert for its https services.. I have certs installed on my cisco switches so my browser trusts them - they don't have the CA certs installed on them.

Once you create a CA, you can sign off on certs from that CA... In your browser you would trust anything signed by that CA, so now any https/tls gui you access would be trusted by that browser, etc.

johnpoz

So i just created a CA with openssl 1.1.1 and imported it into pfsense cert manager just fine.

user@clean18:~$ openssl version
OpenSSL 1.1.1  11 Sep 2018
user@clean18:~$

Did this

openssl genrsa -out rootCA.key 4096

then

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt

Then copied the rootCA.crt to pfsense web gui for importing CAs

Bob's Your Uncle!

KOM

While I'm sure he could do it all with in the GUI, I'm curious as to why certs that works elsewhere don't work here.

johnpoz

No idea - because he has provided no info to go on.. Once he says how he created his CA in openssl I can try and duplicate.

But I have imported many a CA into pfsense via the gui, never an issue... Could be something as simple as bad copy past.. He not grabbing the last line or missing the first line, etc.

As you can see, created a CA, imported it into pfsense in like 2.3 seconds with zero issues.

That he thinks he even needs to install his CA into pfsense.. He doesn't need to do that to use an SSL for the web gui.. Not sure what he thinks its getting him installing the CA into pfsense.. Doesn't make any sense from what I can make of his use case.

KOM

Last time I did it was 2 weeks ago when I spun up an IPSec site to site. I had no problem importing each site's CA cert into the other end. I wonder if this is another stupid LF/CR type thing.

johnpoz

I just did another test with making sure to do the V3 ext when creating the ca cert..

-reqexts v3_req -extensions v3_ca

imported just fine as well.. Maybe he encrypted the damn thing? No idea what he is doing wrong.. Or maybe he is doing something odd?? Simple enough for him to show us his openssl command so we can try and duplicate it.

maldemer

Thanks for the replies, everyone.

Here's how I created the root CA cert with OpenSSL - first creating the key, then the cert itself.

openssl genrsa -out rootCA.key 2048
openssl req -X509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.pem

The resulting .pem fails to install on PFSense with the error "this does not appear to a CA cert". I also created a server cert which is a little more involved as it involved creating a config file for the SANs. That file installs as a server cert without any problems.

After posting my original message, I created a similar cert on a Windows server using PowerShell like this:

$Params = @{
DnsName = "Root CA Certificate"
FriendlyName = "Root CA Certificate"
KeyUsage = 'CertSign', 'CRLSign'
KeyLength = 2048
KeyAlgorithm = 'RSA'
HashAlgorithm = 'SHA256'
NotAfter = (Get-Date).AddYears(10)
KeyExportPolicy = 'Exportable'
CertStoreLocation = 'Cert:\LocalMachine\My'
}
$rootCA = New-SelfSignedCertificate @Params
Export-Certificate -Cert $rootCA -FilePath "C:\Users\xxxx\rootCA.crt"
Get-ChildItem Cert:\LocalMachine\my | where-Object { $_.Subject -match 'Root CA' } | remove-Item

I then converted the .crt file to a ,pem using

openssl x509 -inform DER -in rootCA.crt -out rootCA.pem

The output .pem file also fails to install on PFSense with the same error message.

I failed to notice the option on the server cert page in PFSense to include SAN addresses - my mistake. But since the server cert installs without an issue that's not relevant here.

I can create another CA file on PFSense and then a server cert and install the CA cert on the two systems that might be used for access to PFSense. That will work around the issue, but it's still an issue that should be root caused. I hope it's something I failed to include.

KOM

@johnpoz is using a 4096 bit-length. Try that and see if it makes any difference.

johnpoz

It's not an issue with the very LOW key length.. I just tested with that as well..

Is your browser dicking with the paste? How are you copy pasting the cert..

Can you create a new test CA and cert and post them here?

Example - here is my test CA can you import that?

You are grabbing all of it right, the Begin and End Certificate lines for your paste?

maldemer

Standard copy/paste from a Linux system into PFSense, so no CR/LF issues. Both the header and trailer are there.

Also, same result with 4096 bit key. incidentally, the key length only matters when the cert is used in a trust setting - not relevant here.

Going to rebuild PFSense box this evening, in case it's a weird corruption issue, now that I know others aren't seeing the same issue.

johnpoz

Can you copy paste the one I posted.

edit: as to the key length.. There is no real security issue for this use case no, but I normally make my CAs for 10 years or so min.. Since its not a issue with anything I am doing with them - I tend to go on the larger size..

But sure my use of cap low might of been a bit misleading ;)

You have something wrong that is clear - I doubt its a corruption sort of problem in pfsense, but if can not duplicate it going to be hard to point to what it actually is.

I would be curious for you to post up a test CA cert that I can try to import into pfsense, and would be curious if you can import the one I posted.

maldemer

Issue resolved. I took my primary PFSense box offline and the failover box kicked in. I tried installing the cert I created on that box and it worked! Obviously I have a system problem rather than the software issue I thought I had.

My apologies to all, especially @johnpoz, for all the wasted time looking at the problem.

johnpoz

Looking into issues is never wasted time.. Something really odd for sure going on - have never seen such an issue before.. Which are always the fun ones!

Would be better to try and figure out what exactly is wrong with the install that could be causing such an issue - there are no errors in the log at all? Was this a clean install, or an update? Was it restored from a backup xml from a different or older system, etc.?

Let us know when you have your primary working again.