Password in client export


  • Rebel Alliance

    Can anyone define the "Pasword Protect Certificate" option please.
    'Use a password to protect the pkcs12 file contents or key in Viscosity bundle"

    Can this be used for Inline Configs ? (Android / iOS) - I assume not
    But is there a similar way to protect those certs?
    I store them in an encrypted drive, but they are harder o control in distribution.


  • Rebel Alliance Developer Netgate

    That is for the archive or bundled formats (Windows installer, Viscosity bundle, zip archive)

    There isn't a way to password protect inline configurations in the exported format. For that you'd need to have a passphrase on the certificate itself, which isn't supported in the pfSense GUI at all currently.


  • Rebel Alliance Global Moderator

    @jimp said in Password in client export:

    which isn’t supported in the pfSense GUI at all currently.

    is that something this will change in some future update? Not a concern of mine - just curious. Like the removal of the email requirement in the gui should prob happen at some future date.


  • Rebel Alliance Developer Netgate

    @johnpoz said in Password in client export:

    @jimp said in Password in client export:

    which isn’t supported in the pfSense GUI at all currently.

    is that something this will change in some future update? Not a concern of mine - just curious. Like the removal of the email requirement in the gui should prob happen at some future date.

    It would break quite a lot or effectively nullify the security since it either (a) would have to store the password for the cert, which seems like a bad idea, or (b) it wouldn't be able to use the certificate internally for certain purposes in those cases so we'd need more code to filter/exclude them from being listed in various places throughout the GUI.

    It's not impossible, just impractical and thus far we haven't had a compelling reason to jump through all the hoops to do it.


  • Rebel Alliance Global Moderator

    no not for the gui being used for web ui.. But for creating say a user cert on export of the key, etc.

    It wouldn't need to be stored anywhere.


  • Rebel Alliance Developer Netgate

    @johnpoz said in Password in client export:

    no not for the gui being used for web ui.. But for creating say a user cert on export of the key, etc.

    Ah, that is more likely, but would require some extra smarts in the exporting code to collect/validate/apply the password. Doable but as above, thus far hasn't been something we've put any energy into.


  • Rebel Alliance Global Moderator

    Yeah not a big issue, when you need to install into something that wants to see a password you can just add it via openssl.. Was just curious - thanks. When your wanting your ios phone to connect to a eap-tls wifi network it wants a password. It will not take blank, and space doesn't work, etc.

    Not a big deal if doing a handful.