Signing CSR's - valid Digest Algorithm Issue

bberry · Dec 6, 2018, 8:25 PM

ISSUE: I am unable to use the same sha512 Digest Algorithm option on both the signing request and the actual signing of the certificate. Is this on purpose or is this a bug?

MY SETUP:

offsiteCA (air gaped)
v2.4.4-RELEASE-p1
KEY LENGTH: 4096
CERT: Digest Algorithm sha512
NOTES:
-will hold Top Level CA cert and key
-will generate Intermediate CA's

offsiteIntCA (air gaped)
v2.4.4-RELEASE-p1
KEY LENGTH: 4096
CERT: Digest Algorithm sha512
NOTES:
-will hold Intermediate CA cert and key
-will sign certs

vpnSERVER (openvpn)
v2.4.4-RELEASE-p1
NOTES:
-will submit sign request for its needed server cert
-will submit sign requests for every client certs

Certificate Signing Request
key length: 4096
Digest Algorithm: sha512
Certificate Type: server
NOTES:
-submitting a sha256 sign request allows offsiteIntCA to sign it as a sha256.
-this is not the case for sha512, i get the following error "The following input errors were detected: Please select a valid Digest Algorithm."
-i am also able submit a sha256 signing request, but sign it as a sha512.

Any feedback or insight would be much appreciated. I am happy to answer any questions or provide more information if I missed something above.

johnpoz · Dec 6, 2018, 8:35 PM

Seems a bit over the top ;)

Why can you not just use VPNCA on pfsense that is running the vpn server? Intermediate and top level both airgapped.. Come really??? You might want to loosen up the tinfoil hat a bit ;)

bberry · Dec 6, 2018, 10:22 PM

@johnpoz said in Signing CSR's - valid Digest Algorithm Issue:

Seems a bit over the top ;)

Why can you not just use VPNCA on pfsense that is running the vpn server? Intermediate and top level both airgapped.. Come really??? You might want to loosen up the tinfoil hat a bit ;)

very true @johnpoz, setting up a basic single router or the "just good enough approach" would totally solve my problem and definitely make my life a lot easier. Unfortunately the network I am required to build requires a higher level of security which of course comes with the annoying need for complexity and air gapping.

Have you seen or heard of this particular issue? Is there any need to worry if i say submit a sha256 signing request, only to sign it using sha512? As long as the final product is sha512 I am okay with what ever the process requires.

johnpoz · Dec 7, 2018, 2:57 AM

@bberry said in Signing CSR's - valid Digest Algorithm Issue:

with the annoying need for complexity and air gapping.

Fine - then when would a pfsense distro be your choice for a CA??

This scenario is just so far out of the realm of realistic use case its not funny..

Pfsense is a firewall/router distro - that is even has a CA or cert manager is a nice bell and whistle for user that could use such function in a one stop shop sort of setup.. That you should install a firewall/router distro on a air gapped machine to use as your CA.. Come on??

Come back when you have an issue with its actual use case scenario ;)

bberry · Dec 7, 2018, 4:55 PM

@johnpoz said in Signing CSR's - valid Digest Algorithm Issue:

@bberry said in Signing CSR's - valid Digest Algorithm Issue:

with the annoying need for complexity and air gapping.

Fine - then when would a pfsense distro be your choice for a CA??

This scenario is just so far out of the realm of realistic use case its not funny..

Pfsense is a firewall/router distro - that is even has a CA or cert manager is a nice bell and whistle for user that could use such function in a one stop shop sort of setup.. That you should install a firewall/router distro on a air gapped machine to use as your CA.. Come on??

Come back when you have an issue with its actual use case scenario ;)

It is perfectly okay to admit that this issue is out of your knowledge scope. I don't blame you, it took me a couple days to wrap my head around using multi level CA setups.

Okay... now lets ignore the fact that I am deciding to use air gapped pfsense routers for added security. Lets look instead at the actual issue/bug I am experiencing with using sha512 CSR's.

RECAP

submitting a sha256 sign request allows offsiteIntCA to sign it as a sha256.
submitting a sha512 sign request spits out an error on the offsiteIntCA when signing it as a sha512. I get the following error "The following input errors were detected: Please select a valid Digest Algorithm."
i am able submit a sha256 signing request, but sign it as a sha512.

If anyone is familiar with this issue or is willing to test it out themselves to see if they are reproduce the issue that would be fantastic.

jimp · Dec 7, 2018, 6:51 PM

I can reproduce it here.

I opened https://redmine.pfsense.org/issues/9180 and should have a fix before long.

jimp · Dec 7, 2018, 7:17 PM

Fix pushed, it will show up on the ticket shortly, and then you can apply the change using the System Patches package.

bberry · Dec 7, 2018, 9:44 PM

Thanks @jimp for looking into this, I am happy to hear that there was actually an issue here and that you were able to resolve the issue so swiftly. I look forward to applying the fix when made available.