Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Signing CSR's - valid Digest Algorithm Issue

    General pfSense Questions
    3
    8
    563
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bberry last edited by

      ISSUE: I am unable to use the same sha512 Digest Algorithm option on both the signing request and the actual signing of the certificate. Is this on purpose or is this a bug?

      MY SETUP:

      offsiteCA (air gaped)
      v2.4.4-RELEASE-p1
      KEY LENGTH: 4096
      CERT: Digest Algorithm sha512
      NOTES:
      -will hold Top Level CA cert and key
      -will generate Intermediate CA's

      offsiteIntCA (air gaped)
      v2.4.4-RELEASE-p1
      KEY LENGTH: 4096
      CERT: Digest Algorithm sha512
      NOTES:
      -will hold Intermediate CA cert and key
      -will sign certs

      vpnSERVER (openvpn)
      v2.4.4-RELEASE-p1
      NOTES:
      -will submit sign request for its needed server cert
      -will submit sign requests for every client certs

      Certificate Signing Request
      key length: 4096
      Digest Algorithm: sha512
      Certificate Type: server
      NOTES:
      -submitting a sha256 sign request allows offsiteIntCA to sign it as a sha256.
      -this is not the case for sha512, i get the following error "The following input errors were detected: Please select a valid Digest Algorithm."
      -i am also able submit a sha256 signing request, but sign it as a sha512.

      Any feedback or insight would be much appreciated. I am happy to answer any questions or provide more information if I missed something above.

      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by

        Seems a bit over the top ;)

        Why can you not just use VPNCA on pfsense that is running the vpn server? Intermediate and top level both airgapped.. Come really??? You might want to loosen up the tinfoil hat a bit ;)

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 23.01 | Lab VMs CE 2.6, 2.7

        B 1 Reply Last reply Reply Quote 0
        • B
          bberry @johnpoz last edited by

          @johnpoz said in Signing CSR's - valid Digest Algorithm Issue:

          Seems a bit over the top ;)

          Why can you not just use VPNCA on pfsense that is running the vpn server? Intermediate and top level both airgapped.. Come really??? You might want to loosen up the tinfoil hat a bit ;)

          very true @johnpoz, setting up a basic single router or the "just good enough approach" would totally solve my problem and definitely make my life a lot easier. Unfortunately the network I am required to build requires a higher level of security which of course comes with the annoying need for complexity and air gapping.

          Have you seen or heard of this particular issue? Is there any need to worry if i say submit a sha256 signing request, only to sign it using sha512? As long as the final product is sha512 I am okay with what ever the process requires.

          1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator last edited by johnpoz

            @bberry said in Signing CSR's - valid Digest Algorithm Issue:

            with the annoying need for complexity and air gapping.

            Fine - then when would a pfsense distro be your choice for a CA??

            This scenario is just so far out of the realm of realistic use case its not funny..

            Pfsense is a firewall/router distro - that is even has a CA or cert manager is a nice bell and whistle for user that could use such function in a one stop shop sort of setup.. That you should install a firewall/router distro on a air gapped machine to use as your CA.. Come on??

            Come back when you have an issue with its actual use case scenario ;)

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 23.01 | Lab VMs CE 2.6, 2.7

            B 1 Reply Last reply Reply Quote 0
            • B
              bberry @johnpoz last edited by

              @johnpoz said in Signing CSR's - valid Digest Algorithm Issue:

              @bberry said in Signing CSR's - valid Digest Algorithm Issue:

              with the annoying need for complexity and air gapping.

              Fine - then when would a pfsense distro be your choice for a CA??

              This scenario is just so far out of the realm of realistic use case its not funny..

              Pfsense is a firewall/router distro - that is even has a CA or cert manager is a nice bell and whistle for user that could use such function in a one stop shop sort of setup.. That you should install a firewall/router distro on a air gapped machine to use as your CA.. Come on??

              Come back when you have an issue with its actual use case scenario ;)

              It is perfectly okay to admit that this issue is out of your knowledge scope. I don't blame you, it took me a couple days to wrap my head around using multi level CA setups.

              Okay... now lets ignore the fact that I am deciding to use air gapped pfsense routers for added security. Lets look instead at the actual issue/bug I am experiencing with using sha512 CSR's.

              RECAP

              1. submitting a sha256 sign request allows offsiteIntCA to sign it as a sha256.

              2. submitting a sha512 sign request spits out an error on the offsiteIntCA when signing it as a sha512. I get the following error "The following input errors were detected: Please select a valid Digest Algorithm."

              3. i am able submit a sha256 signing request, but sign it as a sha512.

              If anyone is familiar with this issue or is willing to test it out themselves to see if they are reproduce the issue that would be fantastic.

              1 Reply Last reply Reply Quote 0
              • jimp
                jimp Rebel Alliance Developer Netgate last edited by

                I can reproduce it here.

                I opened https://redmine.pfsense.org/issues/9180 and should have a fix before long.

                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 1
                • jimp
                  jimp Rebel Alliance Developer Netgate last edited by

                  Fix pushed, it will show up on the ticket shortly, and then you can apply the change using the System Patches package.

                  Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 1
                  • B
                    bberry last edited by

                    Thanks @jimp for looking into this, I am happy to hear that there was actually an issue here and that you were able to resolve the issue so swiftly. I look forward to applying the fix when made available.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post