How to add extendedKeyUsage = serverAuth,clientAuth into server cert with Certificate Manager

rexchow · Oct 30, 2019, 8:15 AM

extendedKeyUsage, serverAuth,clientAuth

jimp · Oct 30, 2019, 12:29 PM

Why do you need both?

If you set the certificate type to Server, then it gets TLS Web Server Authentication, IP Security IKE Intermediate in EKU, if you set it to a User cert, then it gets TLS Web Client Authentication in EKU.

rexchow · Oct 30, 2019, 6:38 PM

@jimp thanks for the reply. Having both EKU: serverAuth,clientAuth is required for some enterprise networking appliance for features such as radius over TLS to work. If the UI allows for certificate custom types, it would open up more use cases. I tried the following that was posted on another site without success:

Step 1: Add certificate info at the end of /etc/ssl/openssl.cnf
[ cert_type ]
subjectKeyIdentifier=hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature
extendedKeyUsage = codeSigning, msCodeInd, msCodeCom
nsCertType = client, email, objsign

Step 2: Add the cert_type to /etc/inc/certs.inc
You will need to search for switch ($type) {
in this switch you add a new case
case "customtype":
$cert_type = "cert_type";
break;

result:
switch ($type) {
case "ca":
$cert_type = "v3_ca";
break;
case "server":
case "self-signed":
$cert_type = "server";
break;
case "customtype":
$cert_type = "cert_type";
break;
default:
$cert_type = "usr_cert";
break;
}

Step 3: Add the Type to /usr/local/www/system_certmanager.php
In this step you give the certificate type a name in the Web-ui
search for: $cert_types = array(
add: "customtype" => "custom type",

Result:

$cert_types = array( "ca" => "Certificate Authority",
"server" => "Server Certificate",
"customtype" => "custom type",
"user" => "User Certificate");

Suggestions?

johnpoz · Oct 30, 2019, 6:46 PM

@rexchow said in How to add extendedKeyUsage = serverAuth,clientAuth into server cert with Certificate Manager:

some enterprise networking appliance

Like what exactly - please post the exact appliance your working with.

rexchow · Oct 30, 2019, 7:23 PM

Anyone else have a work around for this via Pfsense 2.4 or 2.5?

jimp · Oct 31, 2019, 3:21 PM

That patch is close but the name in openssl.cnf should probably be [cert_type_san] since _san would get added to the $cert_type string lower down.

I don't see this being added in the GUI any time soon, though, since it isn't something you can let the user pick and choose. Those get defined in openssl.cnf, and that isn't changed dynamically.

I did notice that ACME certs end up with both, so I'm not sure what their reasoning might be behind that. It may not be completely unheard of, but still seems odd.

So if it does get added the easiest thing to do would just be to enable it for all server certs, not an extra choice.

jimp · Oct 31, 2019, 3:47 PM

Looks like ISRG (in other words, Let's Encrypt) recommends having both for end entity certificates, https://letsencrypt.org/documents/isrg-cps-v2.6/ and I don't see any recommendations against including both or downsides, so it should be safe to add clientAuth to server certificates.

More info at https://redmine.pfsense.org/issues/9868

rexchow · Nov 1, 2019, 10:56 PM

Hello @jimp
Thanks for the feedback.

I've updated both / etc/ssl/openssl.cnf and /usr/local/share/pfsense/ssl/openssl.cnf [ server] section & rebooted pfsense, but the newly generated server cert from cert. manager still does not include 'clientAuth'

extendedKeyUsage = serverAuth,clientAuth,1.3.6.1.5.5.8.2.2

Suggestions?

rexchow · Nov 1, 2019, 10:58 PM

@johnpoz
Any appliance that support radsec radiusproxy client will likely need this requirement unless the appliance handles seperately a server and client certificate

jimp · Nov 1, 2019, 11:19 PM

https://redmine.pfsense.org/projects/pfsense/repository/revisions/46869dd2b5ebf32e8297d65f98444fb38d314336/diff

jimp · Nov 1, 2019, 11:19 PM

Change all four instances