Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Digital signed Certificate error in pfsense

    Scheduled Pinned Locked Moved Cache/Proxy
    19 Posts 3 Posters 4.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      noor
      last edited by

      Dear All,

      I have SAN Server certificate which is working fine in all server but when i importing in pfsense it is also working fine but showing no Server certificate.
      can you please check is it bug of pfsense.

      i have attached snapshot for your reference.

      Regards,
      Noor.
      Untitled.jpg
      Untitled.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        That flag checks the cert to see if the nsCertType extension is set to "SSL Server". If that shows "No" then it must not be set that way.

        Depending on the context, that may or may not be a problem. Hard to tell from so little info. It's definitely not a bug in pfSense though, unless you look at a full dump of the cert and it really does show nsCertType as "SSL Server".

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • N
          noor
          last edited by

          I have asked to the certificate issuer in which they are saying this is Server certificate.

          can you please help how to troubleshoot this issue. because it is not working with pfsense transparent proxy but working fine when i am using for pfsense web configurator.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            You'd have to run OpenSSL commands on the cert file itself to print out all of its properties and see what is set. Something simple like:

            openssl x509 -in certificate.crt -text -noout
            

            You could run that from a shell on pfSense, if you have a copy of the exported .crt on there somewhere. Easier to do on your workstation though.

            As for using a cert in a transparent proxy, that would be a problem for a different thread.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • N
              noor
              last edited by

              Yes i have followed above instructions
              in pfsense it is not showing server certificate OR User certificate
              but when i downloaded the certificate in windows and checked it is showing SSL server certificate included 20 names of my other server which is SAN certificate.

              interesting thing is that the SSL certificate working fine in pfsense for its web configurator but showing Server = No
              pfsense using this certificate for its web configurator which means this is SSL server certificate but when i checked in Cert manager it is showing server Certificate = No

              i think this is programming but with Digital signed certificate please look into this and help all of us to resolve that issue.

              Regards,

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                Can you post the full certificate details? You can mask or remove identifying text.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • N
                  noor
                  last edited by

                  Snapshot attached for your reference.
                  please help

                  Regards,
                  Noor.

                  Snap01.jpg
                  Snap01.jpg_thumb
                  Snap02.jpg
                  Snap02.jpg_thumb
                  Snap03.jpg
                  Snap03.jpg_thumb
                  Snap04.jpg
                  Snap04.jpg_thumb
                  Snap05.jpg
                  Snap05.jpg_thumb

                  1 Reply Last reply Reply Quote 0
                  • N
                    noor
                    last edited by

                    Dear can you please forward this serious issue to developers of pfsense as per my understanding this is the bug in pfsense.

                    Regards,
                    Noor.

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      Can you just PM me the PEM certificate so I can run it through OpenSSL and see what's really there?

                      Thanks.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • N
                        noor
                        last edited by

                        please check your PM

                        1 Reply Last reply Reply Quote 0
                        • DerelictD
                          Derelict LAYER 8 Netgate
                          last edited by

                          Certificate in question does not contain the nsCertType: SSL Server attribute.

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • N
                            noor
                            last edited by

                            i am using this certificate for pfsense web configurator which is working fine with port 443 if it is working fine for pfsense web configurator that means this is SSL server certificate
                            please do correct if i am wrong.
                            also give me some clue so that i can discuss this with certificate issuer technical team as they are saying that is server certificate.

                            your support will be highly appreciated.

                            Regards,

                            1 Reply Last reply Reply Quote 0
                            • N
                              noor
                              last edited by

                              Dear Derelict

                              I have received answer from certificate issuer .

                              Please attention “Extended Key Usage” attribute :

                              X509v3 Extended Key Usage:
                                              TLS Web Client Authentication, TLS Web Server Authentication

                              “TlS Web Server Authentication” mean that it’s a SSL Server certificate.

                              please advise.

                              1 Reply Last reply Reply Quote 0
                              • jimpJ
                                jimp Rebel Alliance Developer Netgate
                                last edited by

                                Those are two different attributes.

                                "TLS Web Server Authentication" is not the same as "nsCertType: SSL Server"

                                Only "nsCertType: SSL Server" indicates a "Server Certificate".

                                Though there are cases that require one, the other, or both. (e.g. IKEv2)

                                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                Need help fast? Netgate Global Support!

                                Do not Chat/PM for help!

                                1 Reply Last reply Reply Quote 0
                                • N
                                  noor
                                  last edited by

                                  Dear Jimp,

                                  I have received reply from certificate authority which is mentioned as below.

                                  " In fact ,the “Netscape Cert Type: SSL Server attribute” don’t have practical applications. So  our SSL certificate had discarded it.

                                  I regret to that we can’t adding it.

                                  Dear Jimp please advise what is your opinion i want to resolve that issue because it is very important for me. without this i am unable to activate transparent proxy with the help of certificate in pfsense .

                                  1 Reply Last reply Reply Quote 0
                                  • jimpJ
                                    jimp Rebel Alliance Developer Netgate
                                    last edited by

                                    That's between you and the certificate issuer. Nothing we can do there.

                                    The real question now is: Exactly what purpose are you attempting to use the certificate for that does not work?

                                    "nsCertType = SSL Server" is used for OpenVPN, certainly, but you would not want to use an externally-issued certificate structure for OpenVPN.

                                    And for SSL interception with a transparent proxy, you'd also need your own self-signed CA structure, not an externally-issued certificate.

                                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                    Need help fast? Netgate Global Support!

                                    Do not Chat/PM for help!

                                    1 Reply Last reply Reply Quote 0
                                    • N
                                      noor
                                      last edited by

                                      Dear Jimp,

                                      yes i want to use this for SSL interception with a transparent proxy and i have used internal CA structure which is working fine except one issue which is some sites are identified self signed certificate and not working.
                                      I have already added certificate in local systems certificate and in web browser and google, yahoo, etc all sites are working fine with https but only some sites identified the self signed certificate and then i decided to go with digital signed certificate and when i added this digital certificate my squid and squid guard services became stopped.

                                      1 Reply Last reply Reply Quote 0
                                      • DerelictD
                                        Derelict LAYER 8 Netgate
                                        last edited by

                                        You cannot use a certificate like that to do SSL interception. Like jimp said you need a local CA.

                                        SSL interception works by dynamically creating a certificate with the CN/SAN of the site the user is trying to reach and presenting that to the user instead of the site's real certificate.

                                        You cannot do that if you do not possess the private key for the CA to sign the certificates as you create them.

                                        Chances are you do not possess the private key for that certificate authority.

                                        Chattanooga, Tennessee, USA
                                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                        1 Reply Last reply Reply Quote 0
                                        • N
                                          noor
                                          last edited by

                                          Thanks to All of you to start great discussion and helped me out with logical answer.

                                          Regards,
                                          Noor.

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.