How to add extendedKeyUsage = serverAuth,clientAuth into server cert with Certificate Manager

jimp

Why do you need both?

If you set the certificate type to Server, then it gets TLS Web Server Authentication, IP Security IKE Intermediate in EKU, if you set it to a User cert, then it gets TLS Web Client Authentication in EKU.

rexchow

@jimp thanks for the reply. Having both EKU: serverAuth,clientAuth is required for some enterprise networking appliance for features such as radius over TLS to work. If the UI allows for certificate custom types, it would open up more use cases. I tried the following that was posted on another site without success:

Step 1: Add certificate info at the end of /etc/ssl/openssl.cnf
[ cert_type ]
subjectKeyIdentifier=hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature
extendedKeyUsage = codeSigning, msCodeInd, msCodeCom
nsCertType = client, email, objsign

Step 2: Add the cert_type to /etc/inc/certs.inc
You will need to search for switch ($type) {
in this switch you add a new case
case "customtype":
$cert_type = "cert_type";
break;

result:
switch ($type) {
case "ca":
$cert_type = "v3_ca";
break;
case "server":
case "self-signed":
$cert_type = "server";
break;
case "customtype":
$cert_type = "cert_type";
break;
default:
$cert_type = "usr_cert";
break;
}

Step 3: Add the Type to /usr/local/www/system_certmanager.php
In this step you give the certificate type a name in the Web-ui
search for: $cert_types = array(
add: "customtype" => "custom type",

Result:

$cert_types = array( "ca" => "Certificate Authority",
"server" => "Server Certificate",
"customtype" => "custom type",
"user" => "User Certificate");

Suggestions?

johnpoz

@rexchow said in How to add extendedKeyUsage = serverAuth,clientAuth into server cert with Certificate Manager:

some enterprise networking appliance

Like what exactly - please post the exact appliance your working with.

rexchow

Anyone else have a work around for this via Pfsense 2.4 or 2.5?

jimp

That patch is close but the name in openssl.cnf should probably be [cert_type_san] since _san would get added to the $cert_type string lower down.

I don't see this being added in the GUI any time soon, though, since it isn't something you can let the user pick and choose. Those get defined in openssl.cnf, and that isn't changed dynamically.

I did notice that ACME certs end up with both, so I'm not sure what their reasoning might be behind that. It may not be completely unheard of, but still seems odd.

So if it does get added the easiest thing to do would just be to enable it for all server certs, not an extra choice.

jimp

Looks like ISRG (in other words, Let's Encrypt) recommends having both for end entity certificates, https://letsencrypt.org/documents/isrg-cps-v2.6/ and I don't see any recommendations against including both or downsides, so it should be safe to add clientAuth to server certificates.

More info at https://redmine.pfsense.org/issues/9868

rexchow

Hello @jimp
Thanks for the feedback.

I've updated both / etc/ssl/openssl.cnf and /usr/local/share/pfsense/ssl/openssl.cnf [ server] section & rebooted pfsense, but the newly generated server cert from cert. manager still does not include 'clientAuth'

extendedKeyUsage = serverAuth,clientAuth,1.3.6.1.5.5.8.2.2

Suggestions?

rexchow

@johnpoz
Any appliance that support radsec radiusproxy client will likely need this requirement unless the appliance handles seperately a server and client certificate

jimp

https://redmine.pfsense.org/projects/pfsense/repository/revisions/46869dd2b5ebf32e8297d65f98444fb38d314336/diff

jimp

Change all four instances