Default webGUI SSL certificate lacks any keyusages??

kjoseph

I went to put a custom, CA-signed certificate into my pfSense 2.1 configuration.  I did end up making an error with my first attempt and had to use the "Bad webGUI SSL certificate"  https://forum.pfsense.org/index.php?topic=3079.0 thread to get back into pfSense.  Basically I (assumed) I was missing the TLS Server Authentication extendedKeyUsage within my custom certificate after FF, Chrome, Opera, IE all started erroring out; telling me the certificate that they were getting couldn't be used for my specific purpose (TLS).

As a tangent topic, pfSense should reject either importing and/or using a certificate if it doesn't have the required keyUsages/extendedKeyUsages IMHO.  ::)

Anyhow, for my 2nd attempt at a custom certificate I thought I'd pull out the default SSL certificate and ensure, my custom cert was an exact mirror of the default's keyUsages.  Unfortunately when I exported the default, self-signed pfSense SSL certificate (and parsed it out) I didn't find any keyUsages or extendedKeyUsages within it at all.  :o (WTH???)  Not sure how this SSL cert is even working without any keyUsages or extendedKeyUsages.  I'm not near my server now, but I'll post a parsed version of the default SSL certificate later.

Thinking I'm missing something here.  Anyone else have a default SSL cert that contains keyusages/extendedKeyUsages??

K Joseph

kjoseph

In the end I did figure this out, but for reference: here's my default cert (edited to hide real cert data).  There are no visible "keyUsage" or "extendedKeyUsage" sections. From what I see here this default certificate shouldn't work at all.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            xx:xx:xx:xx:xx:xx:xx:xx
        Signature Algorithm: sha256WithRSAEncryption
        Issuer:
            C=US
            ST=Somewhere
            L=Somecity
            O=CompanyName
            OU=Organizational Unit Name (eg, section)
            CN=Common Name (eg, YOUR name)
            emailAddress=Email Address
        Validity
            Not Before: xxx xx 03:10:58 2xxx GMT
            Not After : xxx xx 03:10:58 2xxx GMT
        Subject:
            C=US
            ST=Somewhere
            L=Somecity
            O=CompanyName
            OU=Organizational Unit Name (eg, section)
            CN=Common Name (eg, YOUR name)
            emailAddress=Email Address
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:d7:5a:25:fc:b2:b3:4f:a5:74:de:1d:89:e0:98:
                    95:17:7f:af:xx:8d:d6:c6:2c:f7:09:cb:dc:ce:11:
                    89:6c:7c:63:42:58:27:cc:49:10:5d:af:df:12:75:
                    30:5f:4f:2e:c9:xx:4c:21:69:xx:61:66:34:b1:0c:
                    30:xx:1d:ce:da:2b:27:19:47:32:63:4a:89:55:3b:
                    xx:68:b5:51:af:38:2d:68:41:24:a4:d5:7a:14:9f:
                    10:81:75:xx:66:92:4e:19:xx1b:30:68:3c:2b:
                    5e:67:7a:cb:xx:4b:4a:34:d9:1b:d8:3e:8e:d3:cf:
                    d0:6c:58:b8:4a:16:ad:86:29
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                xx:C8:xx:9F:xx:C5:xx:31:xx:F5:xx:5B:xx:A3:xx:77:xx:69:xx:3B
            X509v3 Authority Key Identifier:
                keyid:A3:xx:26:xx:7D:xx:60:xx:9A:F5:xx:5B:5A:A3:xx:77:06:69:D7:3B
                DirName:/C=US/ST=Somewhere/L=Somecity/O=CompanyName/OU=Organizational Unit Name (eg, section)/CN=Common Name (eg, YOUR name)/emailAddress=Email Address
                serial:xx:xx:xx:xx:xx:xx:xx:xx

X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
        0a:20:29:0e:09:32:ec:a7:89:88:a0:d7:d8:63:f1:eb:2f:cf:
        54:0d:34:xx:93:57:54:9a:af:bc:9c:30:31:3d:2a:e9:85:01:
        61:db:70:xx:48a6:93:b5:9a:xx:5a:8c:3e:3e:cf:11:fe:
        c4:53:75:c7:f5:49:6d:74:15:b6:9e:80:33:1c:9c:8a:99:c1:
        40:93:00:17:xx:7c:2d:02:9a:ba:ac:ea:7e:77:cd:3b:21:b2:
        42:50:95:e4:f8:11:b2:93:e5:dd:38:xx:6c:15:74:59:cc
        fd:4f:2d:e1:01:bf:98:d3:27:21:07:c8:30:1c:4b:8d:bb:4f:
        c4:xx

The crazy part about this is I created a new CSR from pfSense.  Here's what I see in the keyUsage section (there wasn't an extendedKeyUsage section):

X509v3 Key Usage:
        Digital Signature, Non Repudiation, Key Encipherment

This CSR doesn't even contain the proper extendedKeyUsage (TLS Web Server Authentication), which is required for modern browsers to accept this certificate for the purpose of establishing a TLS connection.  IMHO the certificate tool in pfSense seems broken if it isn't even requesting the correct keyUsage/extendedKeyUsage for the pfSense certificate.

To "fix" this (I have my own PKI) and forced in the correct extendedKeyUsage of TLS Web Server Authentication (not to mention adding the IP addresses for all LAN interfaces into the subjectAltName). Once I uploaded my corrected certificate it worked without issue.

K Joseph

adigigi

Hi kjoseph

Any idea if this issue was fixed ? Doesn't seem to be

jimp

This hasn't been an issue for many years. Old certs are not magically replaced, however, you have to make a new certificate. For example, by running pfSsh.php playback generateguicert or make one manually in the GUI.