[solved] Unable to generate external CSR with custom subject

xhark · Aug 3, 2016, 3:31 PM

Hello,

I have a paied wildcard certificate *.domain.com and I need to generate a CSR and send to the CA to download the signed certificate.

Usually on GNU/Linux I use this :

openssl req -nodes -newkey rsa:2048 -sha256 -keyout pf.key -out pf.csr

And the wizard ask form informations about country, CN, Organization, etc.

But pfSense asks nothing and generate :

Generating a 2048 bit RSA private key
............+++
.................+++
writing new private key to 'pf.key'
-----

So I add the "subj" parameter (it works on GNU/Linux too) :

openssl req -nodes -newkey rsa:2048 -sha256 -keyout pf.key -out pf.csr -subj "emailAddress=me@domain.com/C=FR/ST=ISERE/L=VILLE/O=MASOCIETE/OU=IT/CN=*.mydomain.com"

But pfSense generate regardless my subject :o :

openssl req -in pf.csr -text -noout
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US, ST=Somewhere, L=Somecity, O=CompanyName, OU=Organizational Unit Name (eg, section), CN=Common Name (eg, YOUR name)/emailAddress=Email Address

pfSense use the information in /etc/ssl/openssl.cnf… but why the wizard does not start?

I try with the System > Certificate Manager > Certificates > Add > Create A Certificate Signing Request, but the "OU=" (Organizational Unit) is missing... and my ahtority need this field in my CSR to return the certificate :(

Is is possible to add the "OU" field in next pfSense version ?
Why pfSense is ignoring my subject ?
Is it possible to start the openssl wizard ?

thank you for your help !

note : I prefer not to edit the file directly openssl.cnf

johnpoz · Aug 2, 2016, 8:00 PM

what version of pfsense are you using - the OU field is clearly there, are you saying even though you put stuff in there its not actually in the CSR?

xhark · Aug 2, 2016, 8:43 PM

Hello johnpoz: the last (2.3.2). There is "organizational unit" and "Organization", "organizational unit" is missing.

johnpoz · Aug 2, 2016, 8:44 PM

the current version is 2.3.2, 2.2.3 is well over a year old and not even the latest in the 2.2.x line.. which was 2.2.6

And clearly as you can see in my attached screenshot Org is clearly there in 2.3.2, ah!!! Org is there But Org Unit you are right is missing… Hmm.. Should submit that to redmine.

OU is also missing from the internal, that is not always a requirement - but I agree with you it should be there. All possible fields should be there. be they used or not.

On a bit of a side note, just for my own curiosity what is the point of needing a public CA signed cert for pfsense? Why is self signed not enough? You can trust the CA for sure, are you using this in say the captive portal?

edit: I did a test csr and yeah its missing, thought maybe it was just missing from the gui and putting in some default. But I created the csr and OU is in fact not there. It should also be there on the internal certs, etc. I created issue in redmine.. I did a search for csr and found nothing in the current issues

https://redmine.pfsense.org/issues/6672

xhark · Aug 2, 2016, 8:47 PM

Sorry it's 2.3.2 not 2.3.2, keyboard mistake!

I will submit this to redmine. Any idea about the wizard ? a missing compilation option of openssl ?

Yes sure I can use the internal CA, but I have no limit with my certificate and no warning in browsers… so why not use it ? :)

johnpoz · Aug 2, 2016, 8:48 PM

I already created it in redmine - feel free to add comments and or details to the issue. See my link added to my above post.

xhark · Aug 2, 2016, 9:40 PM

Thank you, feel free to delete mine (or merge) https://redmine.pfsense.org/issues/6673

jimp · Aug 3, 2016, 2:50 PM

I just pushed a fix to add in the field, you can pick up the commit with the System Patches package once the commit shows up on github.

xhark · Aug 3, 2016, 3:31 PM

thank you, it works ! good job :)