Certificate Manager only exports insecure P12 Server certificates

  • I am trying to use the pfSense certificate manager as a convenient place to create and manage certificates for my local network. When I export a server certificate in P12 format the UI does not let me choose a password. I need to import that certificate and private key into a Docker image running a Spring app using Java keytool. However keytool is asking for a password and I have no idea what it is. I tried " " and "" with an without quotes and it fails every time.

    So, it appears that pfSense is exporting an unprotected file and keytool wants nothing to do with unprotected P12 files.

    The export process on pfSense seems deficient in this regard. It should ask for a password and if the person exporting the certificate and key wants to set an empty password, or make it unprotected, let them. Emitting insecure files containing private keys as the only choice seems less than optimal.

    I am posting here to see if there is a solution i don't know about before switching to a different certificate manager.

    There is no need to suggest working around the problem with an internal proxy. I saw a post from 8 months ago on this and don't need a new layer of complexity to work around the limitation.

  • LAYER 8 Global Moderator

    what would a proxy have to do with it??

    You can always put a password in your p12 with openssl.

  • Found this.


    open­ssl pkcs12 -in cert.p12 -out temp.pem -passin pass: -passout pass:temppassword
    open­ssl pkcs12 -export -in temp.pem -out cert-final.p12 -passin pass:temppassword -passout pass:newpa­>ssword
    rm -f temp.pem

  • @napsterbater Thanks for the response. I found that post before posing my question here. The issue is that this solution required the installation of a different certificate manager.

    What follows is not a complaint but an observation. It is now clear to me that the pfSense Certificate Manager is designed to import and export certificates needed by the router. It's a great router. We really shouldn't need it to be a CA as well.

    So I installed OpenSSL and used it to recreated all my certs, replacing the old ones as needed. We no longer generate certificates in the pfSense Certificate Manager.

Log in to reply