Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Internal certificate issues without SubjectAlternativeName on pfSense 2.4

    General pfSense Questions
    2
    3
    299
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mgaudette last edited by

      I just recently upgrade to pfSense 2.4, with very few problems.

      The box already had an internal certificate (I produced a working certificate in the cert manager in pfSense 2.3). It was a wildcard cert, so *.local.something.com.  The complete certificate information given by the little "i" icon is this:

      Serial: 4
      Signature Digest: RSA-SHA512
      SAN: DNS:*.local.something.com
      KU: Digital Signature, Key Encipherment
      EKU: TLS Web Server Authentication, IP Security IKE Intermediate

      This is fine. But now, on pfSense 2.4, I need to issue a new one, let`s call it *.internal.something.com.  Whenever I create it, it does not seem to fill in the name for the SAN value. Whether I explicitly put one in or not (the cert manager page states that "The Common Name field is automatically added to the certificate as an Alternative Name. The signing CA may ignore or change these values."). For completeness, the info icon gives me this:

      Serial: 12
      Signature Digest: RSA-SHA512
      KU: Digital Signature, Key Encipherment
      EKU: TLS Web Server Authentication, IP Security IKE Intermediate

      Notice the missing SAN value.

      This, in turn, ends up giving me errors in Chrome as Chrome needs an SubjectAlternativeName in the certificate. I would just like the certificate to be create with a filled-in SAN value of *.internal.something.com , which I suspect would take care of Chrome complaints.

      Either something has changed in 2.4 or I forgot how I added the SAN in 2.3, but any help would be appreciated.

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        It looks like something in the automatic SAN populating code doesn't like wildcards. I was able to make a cert so long as I put a non-wildcard name in the CN and put the wildcard in the SAN.

        I'll get that fixed up shortly. https://redmine.pfsense.org/issues/7994

        1 Reply Last reply Reply Quote 0
        • M
          mgaudette last edited by

          Thank you for the confirmation. Will wait for the next patch(es).

          1 Reply Last reply Reply Quote 0
          • First post
            Last post

          Products

          • Platform Overview
          • TNSR
          • pfSense
          • Appliances

          Services

          • Training
          • Professional Services

          Support

          • Subscription Plans
          • Contact Support
          • Product Lifecycle
          • Documentation

          News

          • Media Coverage
          • Press
          • Events

          Resources

          • Blog
          • FAQ
          • Find a Partner
          • Resource Library
          • Security Information

          Company

          • About Us
          • Careers
          • Partners
          • Contact Us
          • Legal
          Our Mission

          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

          Subscribe to our Newsletter

          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

          © 2021 Rubicon Communications, LLC | Privacy Policy