Digital signed Certificate error in pfsense



  • Dear All,

    I have SAN Server certificate which is working fine in all server but when i importing in pfsense it is also working fine but showing no Server certificate.
    can you please check is it bug of pfsense.

    i have attached snapshot for your reference.

    Regards,
    Noor.


  • Rebel Alliance Developer Netgate

    That flag checks the cert to see if the nsCertType extension is set to "SSL Server". If that shows "No" then it must not be set that way.

    Depending on the context, that may or may not be a problem. Hard to tell from so little info. It's definitely not a bug in pfSense though, unless you look at a full dump of the cert and it really does show nsCertType as "SSL Server".



  • I have asked to the certificate issuer in which they are saying this is Server certificate.

    can you please help how to troubleshoot this issue. because it is not working with pfsense transparent proxy but working fine when i am using for pfsense web configurator.


  • Rebel Alliance Developer Netgate

    You'd have to run OpenSSL commands on the cert file itself to print out all of its properties and see what is set. Something simple like:

    openssl x509 -in certificate.crt -text -noout
    

    You could run that from a shell on pfSense, if you have a copy of the exported .crt on there somewhere. Easier to do on your workstation though.

    As for using a cert in a transparent proxy, that would be a problem for a different thread.



  • Yes i have followed above instructions
    in pfsense it is not showing server certificate OR User certificate
    but when i downloaded the certificate in windows and checked it is showing SSL server certificate included 20 names of my other server which is SAN certificate.

    interesting thing is that the SSL certificate working fine in pfsense for its web configurator but showing Server = No
    pfsense using this certificate for its web configurator which means this is SSL server certificate but when i checked in Cert manager it is showing server Certificate = No

    i think this is programming but with Digital signed certificate please look into this and help all of us to resolve that issue.

    Regards,


  • Rebel Alliance Developer Netgate

    Can you post the full certificate details? You can mask or remove identifying text.



  • Snapshot attached for your reference.
    please help

    Regards,
    Noor.












  • Dear can you please forward this serious issue to developers of pfsense as per my understanding this is the bug in pfsense.

    Regards,
    Noor.


  • Netgate

    Can you just PM me the PEM certificate so I can run it through OpenSSL and see what's really there?

    Thanks.



  • please check your PM


  • Netgate

    Certificate in question does not contain the nsCertType: SSL Server attribute.



  • i am using this certificate for pfsense web configurator which is working fine with port 443 if it is working fine for pfsense web configurator that means this is SSL server certificate
    please do correct if i am wrong.
    also give me some clue so that i can discuss this with certificate issuer technical team as they are saying that is server certificate.

    your support will be highly appreciated.

    Regards,



  • Dear Derelict

    I have received answer from certificate issuer .

    Please attention “Extended Key Usage” attribute :

    X509v3 Extended Key Usage:
                    TLS Web Client Authentication, TLS Web Server Authentication

    “TlS Web Server Authentication” mean that it’s a SSL Server certificate.

    please advise.


  • Rebel Alliance Developer Netgate

    Those are two different attributes.

    "TLS Web Server Authentication" is not the same as "nsCertType: SSL Server"

    Only "nsCertType: SSL Server" indicates a "Server Certificate".

    Though there are cases that require one, the other, or both. (e.g. IKEv2)



  • Dear Jimp,

    I have received reply from certificate authority which is mentioned as below.

    " In fact ,the “Netscape Cert Type: SSL Server attribute” don’t have practical applications. So  our SSL certificate had discarded it.

    I regret to that we can’t adding it.

    Dear Jimp please advise what is your opinion i want to resolve that issue because it is very important for me. without this i am unable to activate transparent proxy with the help of certificate in pfsense .


  • Rebel Alliance Developer Netgate

    That's between you and the certificate issuer. Nothing we can do there.

    The real question now is: Exactly what purpose are you attempting to use the certificate for that does not work?

    "nsCertType = SSL Server" is used for OpenVPN, certainly, but you would not want to use an externally-issued certificate structure for OpenVPN.

    And for SSL interception with a transparent proxy, you'd also need your own self-signed CA structure, not an externally-issued certificate.



  • Dear Jimp,

    yes i want to use this for SSL interception with a transparent proxy and i have used internal CA structure which is working fine except one issue which is some sites are identified self signed certificate and not working.
    I have already added certificate in local systems certificate and in web browser and google, yahoo, etc all sites are working fine with https but only some sites identified the self signed certificate and then i decided to go with digital signed certificate and when i added this digital certificate my squid and squid guard services became stopped.


  • Netgate

    You cannot use a certificate like that to do SSL interception. Like jimp said you need a local CA.

    SSL interception works by dynamically creating a certificate with the CN/SAN of the site the user is trying to reach and presenting that to the user instead of the site's real certificate.

    You cannot do that if you do not possess the private key for the CA to sign the certificates as you create them.

    Chances are you do not possess the private key for that certificate authority.



  • Thanks to All of you to start great discussion and helped me out with logical answer.

    Regards,
    Noor.


Locked