• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Signing CSR's - valid Digest Algorithm Issue

Scheduled Pinned Locked Moved General pfSense Questions
8 Posts 3 Posters 994 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    bberry
    last edited by Dec 6, 2018, 8:25 PM

    ISSUE: I am unable to use the same sha512 Digest Algorithm option on both the signing request and the actual signing of the certificate. Is this on purpose or is this a bug?

    MY SETUP:

    offsiteCA (air gaped)
    v2.4.4-RELEASE-p1
    KEY LENGTH: 4096
    CERT: Digest Algorithm sha512
    NOTES:
    -will hold Top Level CA cert and key
    -will generate Intermediate CA's

    offsiteIntCA (air gaped)
    v2.4.4-RELEASE-p1
    KEY LENGTH: 4096
    CERT: Digest Algorithm sha512
    NOTES:
    -will hold Intermediate CA cert and key
    -will sign certs

    vpnSERVER (openvpn)
    v2.4.4-RELEASE-p1
    NOTES:
    -will submit sign request for its needed server cert
    -will submit sign requests for every client certs

    Certificate Signing Request
    key length: 4096
    Digest Algorithm: sha512
    Certificate Type: server
    NOTES:
    -submitting a sha256 sign request allows offsiteIntCA to sign it as a sha256.
    -this is not the case for sha512, i get the following error "The following input errors were detected: Please select a valid Digest Algorithm."
    -i am also able submit a sha256 signing request, but sign it as a sha512.

    Any feedback or insight would be much appreciated. I am happy to answer any questions or provide more information if I missed something above.

    1 Reply Last reply Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator
      last edited by Dec 6, 2018, 8:35 PM

      Seems a bit over the top ;)

      Why can you not just use VPNCA on pfsense that is running the vpn server? Intermediate and top level both airgapped.. Come really??? You might want to loosen up the tinfoil hat a bit ;)

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

      B 1 Reply Last reply Dec 6, 2018, 10:22 PM Reply Quote 0
      • B
        bberry @johnpoz
        last edited by Dec 6, 2018, 10:22 PM

        @johnpoz said in Signing CSR's - valid Digest Algorithm Issue:

        Seems a bit over the top ;)

        Why can you not just use VPNCA on pfsense that is running the vpn server? Intermediate and top level both airgapped.. Come really??? You might want to loosen up the tinfoil hat a bit ;)

        very true @johnpoz, setting up a basic single router or the "just good enough approach" would totally solve my problem and definitely make my life a lot easier. Unfortunately the network I am required to build requires a higher level of security which of course comes with the annoying need for complexity and air gapping.

        Have you seen or heard of this particular issue? Is there any need to worry if i say submit a sha256 signing request, only to sign it using sha512? As long as the final product is sha512 I am okay with what ever the process requires.

        1 Reply Last reply Reply Quote 0
        • J
          johnpoz LAYER 8 Global Moderator
          last edited by johnpoz Dec 7, 2018, 2:57 AM Dec 7, 2018, 2:53 AM

          @bberry said in Signing CSR's - valid Digest Algorithm Issue:

          with the annoying need for complexity and air gapping.

          Fine - then when would a pfsense distro be your choice for a CA??

          This scenario is just so far out of the realm of realistic use case its not funny..

          Pfsense is a firewall/router distro - that is even has a CA or cert manager is a nice bell and whistle for user that could use such function in a one stop shop sort of setup.. That you should install a firewall/router distro on a air gapped machine to use as your CA.. Come on??

          Come back when you have an issue with its actual use case scenario ;)

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          B 1 Reply Last reply Dec 7, 2018, 4:55 PM Reply Quote 0
          • B
            bberry @johnpoz
            last edited by Dec 7, 2018, 4:55 PM

            @johnpoz said in Signing CSR's - valid Digest Algorithm Issue:

            @bberry said in Signing CSR's - valid Digest Algorithm Issue:

            with the annoying need for complexity and air gapping.

            Fine - then when would a pfsense distro be your choice for a CA??

            This scenario is just so far out of the realm of realistic use case its not funny..

            Pfsense is a firewall/router distro - that is even has a CA or cert manager is a nice bell and whistle for user that could use such function in a one stop shop sort of setup.. That you should install a firewall/router distro on a air gapped machine to use as your CA.. Come on??

            Come back when you have an issue with its actual use case scenario ;)

            It is perfectly okay to admit that this issue is out of your knowledge scope. I don't blame you, it took me a couple days to wrap my head around using multi level CA setups.

            Okay... now lets ignore the fact that I am deciding to use air gapped pfsense routers for added security. Lets look instead at the actual issue/bug I am experiencing with using sha512 CSR's.

            RECAP

            1. submitting a sha256 sign request allows offsiteIntCA to sign it as a sha256.

            2. submitting a sha512 sign request spits out an error on the offsiteIntCA when signing it as a sha512. I get the following error "The following input errors were detected: Please select a valid Digest Algorithm."

            3. i am able submit a sha256 signing request, but sign it as a sha512.

            If anyone is familiar with this issue or is willing to test it out themselves to see if they are reproduce the issue that would be fantastic.

            1 Reply Last reply Reply Quote 0
            • J
              jimp Rebel Alliance Developer Netgate
              last edited by Dec 7, 2018, 6:51 PM

              I can reproduce it here.

              I opened https://redmine.pfsense.org/issues/9180 and should have a fix before long.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 1
              • J
                jimp Rebel Alliance Developer Netgate
                last edited by Dec 7, 2018, 7:17 PM

                Fix pushed, it will show up on the ticket shortly, and then you can apply the change using the System Patches package.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 1
                • B
                  bberry
                  last edited by Dec 7, 2018, 9:44 PM

                  Thanks @jimp for looking into this, I am happy to hear that there was actually an issue here and that you were able to resolve the issue so swiftly. I look forward to applying the fix when made available.

                  1 Reply Last reply Reply Quote 0
                  1 out of 8
                  • First post
                    1/8
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received