Adding a Trusted Root Certificate Authority Certificate



  • Greetings dear forum users!
    I really need help. I use pfSense in my company, and we were obliged to put a certificate that monitors the activities of the organization’s employees, now I need to install this certificate in the milking root certification authorities. I am using pfSense 2.4 and cannot figure out where I need to install it. I don't know FreeBSD well, so I am contacting you for help.

    [2.4.5-RELEASE][admin@si.ua/etc/ssl: date
    Tue May 19 10:10:02 +03 2020
    Updating pfSense-core repository catalogue...
    Certificate verification failed for /C=KZ/ST=Nur-Sultan/O=STS/OU=HQ/CN=Intermediate for USIAG/emailAddress=support@sts.kz
    34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
    Certificate verification failed for /C=KZ/ST=Nur-Sultan/O=STS/OU=HQ/CN=Intermediate for USIAG/emailAddress=support@sts.kz
    34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
    Certificate verification failed for /C=KZ/ST=Nur-Sultan/O=STS/OU=HQ/CN=Intermediate for USIAG/emailAddress=support@sts.kz
    34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
    pkg: https://pkg.pfsense.org/pfSense_v2_4_5_amd64-core/meta.txz: Authentication error
    repository pfSense-core has no meta file, using default settings
    Certificate verification failed for /C=KZ/ST=Nur-Sultan/O=STS/OU=HQ/CN=Intermediate for USIAG/emailAddress=support@sts.kz
    34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:



  • Hi !

    @999Vladislav999 said in Adding a Trusted Root Certificate Authority Certificate:

    and we were obliged to put a certificate that monitors the activities of the organization’s employees

    Certificates can not monitor some one or something.
    Plaese elaborate.

    @999Vladislav999 said in Adding a Trusted Root Certificate Authority Certificate:

    this certificate in the milking root certification authorities.

    Major Google translate error ?
    ( certificates have nothing in common with cows neither )

    @999Vladislav999 said in [Adding a Trusted Root Certificate Authority Certificate](/post/912878):
    > [2.4.5-RELEASE][admin@si.ua/etc/ssl: date
    > Tue May 19 10:10:02 +03 2020
    > Updating pfSense-core repository catalogue...
    > Certificate verification failed for /C=KZ/ST=Nur-Sultan/O=STS/OU=HQ/CN=Intermediate for
    .......
    USIAG/emailAddress=support@sts.kz
    > 34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
    

    What are you doing ??

    First things first.
    Point a browser at http://192.168.1.1
    pfSense administration is done using the GUI access.
    You'll find the menu where you can create / import / export CA certs and more.



  • I'm going
    System->Cert. Manager->Certificates->Add/Sign->Import an existing Certificate
    but there you need to have public and private keys, I have only the public one, which is installed as for example in firefox, in trusted root certification authorities. The certificate that we are required to install controls the traffic, like a person in the middle, without installing this certificate, I can’t go to the Internet



  • This is done at the level of internet providers



  • Thanks for trying to help, I figured it out, it was necessary to add pem encoding along the path /usr/local/etc/ssl/cert.pem



  • @999Vladislav999 said in Adding a Trusted Root Certificate Authority Certificate:

    Thanks for trying to help, I figured it out, it was necessary to add pem encoding along the path /usr/local/etc/ssl/cert.pem

    Please check this https://redmine.pfsense.org/issues/4068


  • LAYER 8 Global Moderator

    @999Vladislav999 said in Adding a Trusted Root Certificate Authority Certificate:

    without installing this certificate, I can’t go to the Internet

    Huh? How does installing a CA into pfsense get you internet access - just at a loss to what your doing at all..

    And it sure and the hell doesn't belong in the TSNR section. Moving.


  • Rebel Alliance Developer Netgate

    Adding their upstream provider proxy's snooping CA will let pfSense make HTTPS requests through their (compromised, insecure) proxy without using manual proxy settings.

    There is no supported method for adding a CA that way on 2.4.5. The feature was recently implemented on 2.5.0.


  • LAYER 8 Global Moderator

    Oh so pfsense can do its "own" traffic through the snooping upstream proxy... This would have zero to do with clients behind pfsense - those clients would need to trust this CA as well.. Because the upstream proxy is doing mitm..

    What gov is this?


Log in to reply