Get certificates from Pfsense Cert Manager using linux commandline

YamakasY · Nov 22, 2017, 3:31 PM

Is there a way to get the certificates from the Cert. Manager in pfsense on some other box by using an URL and wget or curl ?

I would like to use Pfsense as my central Cert Management server so it would be great if it's possible in some way.

Any ideas ?

jimp · Nov 22, 2017, 6:23 PM

Not with what is currently on the firewall.

The certificates are stored in the configuration, not in an accessible place on the filesystem.

You could write a script to parse them out of the config.xml but there are no tools around currently that will do exactly what you're after.

YamakasY · Nov 23, 2017, 4:40 PM

@jimp:

Not with what is currently on the firewall.

The certificates are stored in the configuration, not in an accessible place on the filesystem.

You could write a script to parse them out of the config.xml but there are no tools around currently that will do exactly what you're after.

OK, but as there is a an "export key" button in the GUI can we not create a user which is able to only download certs or so ?

Sounds like an idea ?

lilhater27 · Aug 31, 2018, 7:29 AM

Hi,

I know this is old but if anyone else is every looking for this, here's a quick example of how it might be done.

You would need to change the "certname" and the "id" in the script.

The id can be found when hovering over the export buttons in the web gui.

I commented out the rms because they were deleting before the wget was done.


BACKUPDIR="where the cert will go"
USERNAME="pfsense user"
PASSWORD="pfsense password"
PORT="pfsense port"
SITE="pfsense ip or address"

wget -qO- --keep-session-cookies --save-cookies /tmp/pfsense_cookies.txt \
  --no-check-certificate https://$SITE/system_certmanager.php \
  | grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/' > /tmp/pfsense_csrf.txt


wget -qO- --keep-session-cookies --load-cookies /tmp/pfsense_cookies.txt \
  --save-cookies /tmp/pfsense_cookies.txt --no-check-certificate \
  --post-data "login=Login&usernamefld="$USERNAME"&passwordfld="$PASSWORD"&__csrf_magic=$(cat /tmp/pfsense_csrf.txt)" \
  https://$SITE/system_certmanager.php  | grep "name='__csrf_magic'" \
  | sed 's/.*value="\(.*\)".*/\1/' > /tmp/pfsense_csrf2.txt

        if [ -e /tmp/pfsense_cookies.txt ]; then
        FILENAME="$BACKUPDIR/certname.crt"

wget --keep-session-cookies --load-cookies /tmp/pfsense_cookies.txt --no-check-certificate \
  --post-data "act=exp&id=1&__csrf_magic=$(head -n 1 /tmp/pfsense_csrf2.txt)" \
  https://$SITE/system_certmanager.php -O $FILENAME

        FILENAME2="$BACKUPDIR/certname.key"

wget --keep-session-cookies --load-cookies /tmp/pfsense_cookies.txt --no-check-certificate \
  --post-data "act=key&id=1&__csrf_magic=$(head -n 1 /tmp/pfsense_csrf2.txt)" \
  https://$SITE/system_certmanager.php -O $FILENAME2

#rm -f /tmp/pfsense_cookies.txt
#rm -f /tmp/pfsense_csrf.txt
#rm -f /tmp/pfsense_csrf2.txt

        else
                echo "Failed to retrieve cert from $SITE"
        fi

done

luisenrique · Apr 25, 2019, 3:11 AM

sorry because replying this old post..

so for the oposite operation to import certificate or maybe overwrite a specific certificate it is possible or exist some solution scripting??
at today i'm looking for a solution to automate the copy to anothers pfsense and import these certificate previously generated by acme, i will ask for help to a developer on another department to make a search of the encodec certificate and remplace by the new if it has not be changed or expired over php on xml config, based on anothers scripts like this https://forum.netgate.com/topic/95774/automating-certificate-imports-with-letencrypt-script/12