PfSense generated certificates as S/MIME?



  • Hello,

    I really have two short questions:

    • When I have generated a user cert i pfsense (using my pfsense as a CA) I can export the cert as a .p12 file to my computer. Then when I try to import/install this certificate in a OS or browser certificate manager
      it asks for a password (since it's a p12 containing the private key). But I have never gotten the choice in pfsense to set a password for the p12 file. What am I missing here?

    • Can I use these user certs as S/MIME certs in Outlook for example?

    Thanx in advance!
    /G


  • LAYER 8 Global Moderator

    the pfsense ca does not offer the option of setting password on export.

    The CA cert manager doesn't allow you to set all the types of usage  Shoot users can not figure out the difference between user and server if they gave all the options their heads would explode..

    What exactly are you wanting to do with this cert?  Sign/encrypt email to who exactly? s/mime encryption and signing requires use of key use extensions that are not presented in the gui..  You could always just openssl to create such a cert.

    But if using for sending of email I would get them from a public CA..

    Please describe your use case and we can find the best solution for that.



  • Want to use the certs for email encryption and signing, yes.
    Yea, I'll probably go with a "real" CA instead. But not many of them seem to offer S/MIME-capable certs  :-\

    I was just surprised that you could export a .p12 cert but not beeing able to use it. Why have the function then?


  • LAYER 8 Global Moderator

    you can use it without password… I use them all the time in eap-tls auth for my devices.  Not everything requires password to import.  And if they do you can always add a password using openssl.

    Are you wanting to send email to strangers, a known group of people?  Your other option vs s/mime which to be honest is more flexible is gnupg.





  • @johnpoz:

    you can use it without password… I use them all the time in eap-tls auth for my devices.  Not everything requires password to import.  And if they do you can always add a password using openssl.

    Are you wanting to send email to strangers, a known group of people?  Your other option vs s/mime which to be honest is more flexible is gnupg.

    No, sorry. Im just looking to email a defined known group of people. Internal email in this group only. Otherwise we're already using GPG/PGP.

    Bluekobold: I will have a look at Nitrokey, thank you.

    If anyone know a good public CA that provides S/MIME certs please let me know.

    Regards,
    G



  • If anyone know a good public CA that provides S/MIME certs please let me know.

    I am sorry for that I am searching by my self a adequate and well known certificated trust center
    for my self. In earlier days the German Telekom was offering a singed certificate for ~1 € a month
    and the trustcenter from hamburg was offering certificates and key signing services for free to
    private users, but they are both not do this anymore.


  • LAYER 8 Netgate

    @MrGreen:

    If anyone know a good public CA that provides S/MIME certs please let me know.

    www.startssl.com


Log in to reply