Internal certificate issues without SubjectAlternativeName on pfSense 2.4



  • I just recently upgrade to pfSense 2.4, with very few problems.

    The box already had an internal certificate (I produced a working certificate in the cert manager in pfSense 2.3). It was a wildcard cert, so *.local.something.com.  The complete certificate information given by the little "i" icon is this:

    Serial: 4
    Signature Digest: RSA-SHA512
    SAN: DNS:*.local.something.com
    KU: Digital Signature, Key Encipherment
    EKU: TLS Web Server Authentication, IP Security IKE Intermediate

    This is fine. But now, on pfSense 2.4, I need to issue a new one, let`s call it *.internal.something.com.  Whenever I create it, it does not seem to fill in the name for the SAN value. Whether I explicitly put one in or not (the cert manager page states that "The Common Name field is automatically added to the certificate as an Alternative Name. The signing CA may ignore or change these values."). For completeness, the info icon gives me this:

    Serial: 12
    Signature Digest: RSA-SHA512
    KU: Digital Signature, Key Encipherment
    EKU: TLS Web Server Authentication, IP Security IKE Intermediate

    Notice the missing SAN value.

    This, in turn, ends up giving me errors in Chrome as Chrome needs an SubjectAlternativeName in the certificate. I would just like the certificate to be create with a filled-in SAN value of *.internal.something.com , which I suspect would take care of Chrome complaints.

    Either something has changed in 2.4 or I forgot how I added the SAN in 2.3, but any help would be appreciated.


  • Rebel Alliance Developer Netgate

    It looks like something in the automatic SAN populating code doesn't like wildcards. I was able to make a cert so long as I put a non-wildcard name in the CN and put the wildcard in the SAN.

    I'll get that fixed up shortly. https://redmine.pfsense.org/issues/7994



  • Thank you for the confirmation. Will wait for the next patch(es).


Log in to reply