Cert Manager - P12 Export

mjt-tx

Hi All,
Is there a way to either set a password on .p12 certificate exports or determine what the default password IS? I have created a user cert and would like to import it into my macbook via keychain access. I have tried using no password, using a " " space as a password, and nothing works. Any help would be appreciated.

Best,
Michael

jimp

By default there is no password.

We have added a means to export with a password in 2.5.0

mjt-tx

@jimp Thanks for the info. I tried with empty password and also with a space charachter. Is OSX just picky about this stuff?

johnpoz

you can set a password on it with openssl... let me dig up the thread where went over it.

Here
https://forum.netgate.com/post/670290

Which points to the docs, where I had put it in back when it was wiki

https://docs.netgate.com/pfsense/en/latest/packages/using-eap-and-peap-with-freeradius.html#eap-tls

If your client will not load the .p12 without a password on it, and space does not work you can add a password with openssl

Just download user cert and key vs the p12 and with the ca cert use the following command
openssl pkcs12 -export -certfile ca.crt -in user.crt -inkey user.key -out user.p12

mjt-tx

@johnpoz Thanks for the input. This worked just fine.

sgw

Digging up this thread, because I face issues with 23.01 and LetsEncrypt-Certs:

I have an ACME-cert for an MS Exchange Server which I renew every 90 days.
As far as I remember last time I exported the p12 from the pfSense, imported it by double-click into Windows Server ... without a password.

Now the cert doesn't get accepted, I added a password via openssl ... just can't import it.

Do I miss something? Is there a bug? Unfortunately I can't upgrade to 23.05 there right now.

jimp

@sgw said in Cert Manager - P12 Export:

Digging up this thread, because I face issues with 23.01 and LetsEncrypt-Certs:

I have an ACME-cert for an MS Exchange Server which I renew every 90 days.
As far as I remember last time I exported the p12 from the pfSense, imported it by double-click into Windows Server ... without a password.

Now the cert doesn't get accepted, I added a password via openssl ... just can't import it.

Do I miss something? Is there a bug? Unfortunately I can't upgrade to 23.05 there right now.

It's better to start your own new thread than try to resurrect a 3 year old thread that isn't relevant anymore.

You can export with a password and different encryption options directly in the GUI for several versions now:

https://docs.netgate.com/pfsense/en/latest/certificates/certificate.html#export-password-protected-files-or-use-different-encryption-options