Password in client export
-
Can anyone define the "Pasword Protect Certificate" option please.
'Use a password to protect the pkcs12 file contents or key in Viscosity bundle"Can this be used for Inline Configs ? (Android / iOS) - I assume not
But is there a similar way to protect those certs?
I store them in an encrypted drive, but they are harder o control in distribution. -
That is for the archive or bundled formats (Windows installer, Viscosity bundle, zip archive)
There isn't a way to password protect inline configurations in the exported format. For that you'd need to have a passphrase on the certificate itself, which isn't supported in the pfSense GUI at all currently.
-
@jimp said in Password in client export:
which isn’t supported in the pfSense GUI at all currently.
is that something this will change in some future update? Not a concern of mine - just curious. Like the removal of the email requirement in the gui should prob happen at some future date.
-
@johnpoz said in Password in client export:
@jimp said in Password in client export:
which isn’t supported in the pfSense GUI at all currently.
is that something this will change in some future update? Not a concern of mine - just curious. Like the removal of the email requirement in the gui should prob happen at some future date.
It would break quite a lot or effectively nullify the security since it either (a) would have to store the password for the cert, which seems like a bad idea, or (b) it wouldn't be able to use the certificate internally for certain purposes in those cases so we'd need more code to filter/exclude them from being listed in various places throughout the GUI.
It's not impossible, just impractical and thus far we haven't had a compelling reason to jump through all the hoops to do it.
-
no not for the gui being used for web ui.. But for creating say a user cert on export of the key, etc.
It wouldn't need to be stored anywhere.
-
@johnpoz said in Password in client export:
no not for the gui being used for web ui.. But for creating say a user cert on export of the key, etc.
Ah, that is more likely, but would require some extra smarts in the exporting code to collect/validate/apply the password. Doable but as above, thus far hasn't been something we've put any energy into.
-
Yeah not a big issue, when you need to install into something that wants to see a password you can just add it via openssl.. Was just curious - thanks. When your wanting your ios phone to connect to a eap-tls wifi network it wants a password. It will not take blank, and space doesn't work, etc.
Not a big deal if doing a handful.