Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Certificate Manager internal CA and certificate validity

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 2 Posters 712 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mhollis60
      last edited by

      Hi,

      I'm running pfSense 2.4.2p1 and just started playing with the certificate manager. I have created an internal-ca with a validity of 10 years (default). I then created a new server certificate, but as a test entered a longer "valid until" date than the CA. I was a bit surprised to find the CA signed the certificate using the longer expiry date. My understanding was that a CA should only sign certificates based on its own valid until date. I can see a problem whereby a user will install a server certificate in future thinking it is valid for x number of years only to find the CA expires before.

      Does anyone know if this is a known issue that needs to be highlighted in a bug tracker?

      Cheers,
      Mark.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        So your saying your CA good until say Jan 1 2028, and you cert says its good til jan 1 2030? or something like that?

        I do not believe there is a requirement in any RFC that a CA can not issue a cert longer than its current life.. While some CA's have implemented such a check - off the top of my head I am not aware of any specific RFC that declares a CA can not sign a cert with a life longer than the CA current life..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • M
          mhollis60
          last edited by

          Thats correct. Thats what I'm seeing. I create a server certificate using the internal CA and it allows me to put a longer valid date on the certificate.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            See my edit…

            Even when the CA expires as long as you create the new CA with the private key of the old CA.. The signed cert will still validate off the new CA.. you would just need to trust the new CA you created from the old CA private key.

            If that wasn't the case as the CA got closer to its expire date you could only sign shorter and shorter lengths of time for certs...

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • M
              mhollis60
              last edited by

              OK thanks. I guess the server certificate would be deemed invalid once the CA expires anyway as the chain of trust would be broken? Putting a check into the code at the time of signing would prevent certificates mistakenly being signed with a non-valid expiry date, but then again I guess it is up to the admin to make sure his CA and the certificates being signed are using the correct dates in the first place  :)

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                Yeah I do not think there is a RFC stating you can not sign certs long - there are scenarios when you would for sure need to be able to do that..

                Lets say you need to issue certs for 3 years, but your CA expires in 2.. so now you have to redo your CA 2 years before it expires.. That would suck ;)  So you just make sure that you create your NEW ca with the same private key before the 2 year expires.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.