ACME no CA.key, can't create user certs without



  • I am on pfsense 2.4, I used to have the CA key issued by acme when on pfsense 2.3, my renewal setup didn't make the move. I setup a new certificate in acme but it doesn't give me the CA.key any longer. YES, it happened. I have been looking for it to no avail. This is useless without the CA.key, I might as well use self signed CA. Where is it stashed at? Does anyone know? or care? Sorry for my snippyness, but I am more than a little irked at this point. I have been trying to find it or create a new key on command line, but the system won't let me and I am by no means an expert.



  • This might help :
    When creating that key, do NOT us spaces in the description name.


  • Rebel Alliance Developer Netgate

    ACME never gives you the CA.key, only the CA.crt.

    You can't make and issue your own certificates in the certificate manager using ACME. You have to use the ACME package interface.

    What is it, exactly, that you are trying to do with the ACME CA that is failing?



  • Believe it or not, I wiped my system of 2.3 and installed 2.4 from iso, then went through the 2.3 xml file and rebuilt the system as before. I had a valid CA key generated by ACME package. I still have it, problem is my certificates expire July 14 and the saved renewal in ACME didn't survive my redo. Maybe I wasn't suppose to have it, but I did…. I can make ACME requests all day long and they are put in the Certificate manager, no CA key. I need the key to make user certificates that jive with what is returned to Cert Mgr by ACME, right? I have been trying end arounds looking for that CA key for a week. Maybe I am over thinking this, I do that... My goal is wifi access via certificates. Freeradius 3 is another thing, chicken or the egg. Need to get my certificate issue worked out before I put any more time in that. I installed sudo and created a CA in a new directory /usr/local/openssl/ca, then copied the key and cert as a text then pasted them to Cert Mgr and created intermediate from that, then server cert. I needed the text output to put it on other machines. I know this is not ideal but, it would makes things a lot easier if I could find the directory where Cert Mgr actually puts things when it creates them instead of having to create new directories...TMI right


  • Rebel Alliance Developer Netgate

    @huckabuck:

    Maybe I wasn't suppose to have it, but I did…. I can make ACME requests all day long and they are put in the Certificate manager, no CA key.

    No, you did not have it.

    @huckabuck:

    I need the key to make user certificates that jive with what is returned to Cert Mgr by ACME, right? I have been trying end arounds looking for that CA key for a week.

    No, you don't. You do not make user certificates based on the ACME CA. You can only make certificates that ACME can validate and issue. You can make requests, but you have to validate them through Let's Encrypt in some way (DNS, web requests to a domain name, etc). None of which could be possible for user certificates.

    @huckabuck:

    My goal is wifi access via certificates. Freeradius 3 is another thing, chicken or the egg. Need to get my certificate issue worked out before I put any more time in that. I installed sudo and created a CA in a new directory /usr/local/openssl/ca, then copied the key and cert as a text then pasted them to Cert Mgr and created intermediate from that, then server cert. I needed the text output to put it on other machines. I know this is not ideal but, it would makes things a lot easier if I could find the directory where Cert Mgr actually puts things when it creates them instead of having to create new directories…TMI right

    Use a self-signed CA for that, not ACME.

    You only need ACME for things that require a chain of trust for a server certificate, like a web server, mail server, etc. If the clients also need certificates from the CA, a globally trusted CA is actually worse for you than a self-signed CA. Anyone, anywhere in the world with a certificate signed by the same CA could also connect to your Wi-Fi which is undoubtedly NOT what you want.

    If you were using EAP/PEAP without client certificates then FreeRADIUS3 could use ACME for the server side only because it just needs the server certificate and not user certificates. For anything that requires user certificates or validation (e.g. OpenVPN), use a self-signed CA.



  • I didn't mean that I submitted the user certificates to acme, I actually had the CA key "intermediate cert I guess" that I had as a result of a previous certificate certificate that acme returned to me for pfSense and about a half dozen other hosts downstream. Valid, no BS, I still have a legit key+cert that I can sign new public certificates with, it expires July 14. Anyway, I am just using self signed for everything.  I managed to find the intermediate and server certs I created in Cert Mgr in freeradius3 /usr/local/etc/raddb/certs. I compared the keys I downloaded from Cert Mgr against the keys there, sure enough. Used intermediate to create new server cert on second box counting down to avoid certs with same serial number. It would sure make things earlier, but I guess that's the point sort of, but if someone is smart enough to gain access to the OS then they are smart enough to find them, it just took me a lot longer because I am not very good at this. I will surface again shortly on free radius post, not having any luck with certificate authentication, pswd auth is good though. See ya there Jimp, thanks for the advice.