OpenVPN Export Wizard Using Wrong Root CA Certificate
-
This occurs using pfSense 2.4.5-RELEASE (arm) on an SG-3100.
I had two Root CAs in pfSense's Certificate Manager. #1 is a chained, self-signed Root and Intermediate certificate pair (my Root CA plus a CA key signed with my Root CA). #2 is a pfSense-generated certificate. When I set up OpenVPN, I used CA #2 to sign the OpenVPN server certificate (CERT #1), while I spent time understanding how to use OpenSSL 1.1.1 to put the needed attributes into the certificate from CA #1.
Yesterday I finished my research and imported the new certificate signed by #1 (along with its private key); note that the certificate contains the complete CA chain (root and intermediate) along with the server certificate. Let's call this CERT #2. After importing, I edited the Server config to switch to CA #1 as the Peer Certificate Authority, and the newly-signed certificate (by CA #1)
All the attributes were correct, but OpenVPN was giving me an error that the Root CA was unknown. I opened the OVPN bundle file with Notepad ++ (on Windows) and was able to determine that the Intermediate CA was from #2, but the exported Root CA was from #1.
I manually copied the correct encoded CERT data from Root CA #1's certificate file, pasted it into the OVPN file and re-exported that to iOS. Now everything works fine.
I have two different VPN ports opened on my router, and after the first one worked I reconfigured and exported the second. Same Root CA certificate problem; also fixed with manual copy and paste.
It seems that the OpenVPN Export error that, for some reason, grabs the wrong Root CA on a chained CA set.
Note in my initial paragraph I said I had two root CAs. I have since deleted CA #1 and its certificates, as I do not need them (and I am hopeful that whenever I re-export things, it will put the correct CA certs in place since there is only one saved in pfSense now).
I don't know how many people have tried exports with more than one Root CA in place, and feel that this is likely a bug.
Thoughts/comments?
-
@Draco I've posted this to Redmine: Issue #10649
-
I'm willing to try to reproduce this, I'm using the latest stable version, 2.4.5-p1.
But my OpenSSL is different : OpenSSL 1.0.2u-freebsd ....
You have 1.1.1 .... how ?? -
See my notes on the Redmine issue. It's almost certainly not a bug, but a problem with the way you imported them and/or ambiguity in the subjects of the entries. There isn't nearly enough information here to speculate beyond that.
-
@Gertjan I am running OpenSSL on my Windows development machine, not using the version on pfSense. I set up my CA long before I owned a NetGate box. I have OpenSSL 1.1.1g 21 Apr 2020, though I've been running my private CA since OpenSSL 1.01. Lots of fixes since 1.0.2.
I am using my Root CA cert to sign an Intermediate CA Cert. It is the Intermediate CA Cert that signed the pfSense cert/key. Attributes from my pfSense cert:
Version V3
Signature algorithm SHA512 RSA
Issuer : (me - I don't think you need these details... but if you do let me know)
Valid from:‎ Saturday, ‎June ‎6, ‎2020 5:21:31 PM
Valid to: ‎Sunday, ‎August ‎20, ‎2023 5:21:31 PM
Subject: E = (obscured), CN = (the DNS name of my pfSense), O = (me), S = WA, C = US
Public key: RSA (2048 bits)
Subject & Authority Key identifier: (let me know if you need these)
Public key params: 05 00
Basic Constraints:Subject Type=End Entity, Path Length Constraint=None
CRL Distribution Points: lists 1 URL on my website
EKU: Server Authentication (1.3.6.1.5.5.7.3.1), IP security IKE intermediate (1.3.6.1.5.5.8.2.2)
Netscape Comment: OpenSSL Generated Server Certificate
Netscape Cert Type: SSL Server Authentication (40)
Subject Alternative Name: (my external DNS for VPN), (repeat of CN from subject), and 2 IP addresses for the Netgate on my internal network
Key Usage: Digital Signature, Key Encipherment, Key Agreement (a8)
Thumbprint: (not clear you need this)That should be all you need to try to duplicate. Start with a CA key and a self-signed Cert. Then use that to sign an Intermediate cert (these are what I called CA #2 in my post). Then create a key/cert and sign it with the above attributes.
Before installing on pfSense, use the GUI to generate a self-signed CA pair (CA #1 in my post).. Then create a VPN key and sign with the pfSense CA pair. Use this signed cert + key for VPN. Export client, and the router Cert should contain the CA#1 cert.
Next install the CA #2 onto pfSense. I did that as a chained certificate as per pfSense docs (see: link text). Here is the relevant text from that doc page:
Importing a Chained or Nested Certificate Authority
If the CA has been signed by an intermediary and not directly by a root CA, it may be necessary to import both the root and the intermediate CA together in one entry, such as:-----BEGIN CERTIFICATE----- [Subordinate/Intermediate CA certificate text] -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- [Root CA certificate text] -----END CERTIFICATE-----
If you would like to save yourself the trouble of creating a CA, post a CSR in PEM format as:
-----BEGIN CERTIFICATE REQUEST----- ... encoded data here ... -----END CERTIFICATE REQUEST-----
... and I'll sign the key, valid for 30 days, for you to test with.
Let me know if you need anymore information to try to repro.