Adding a Trusted Root Certificate Authority Certificate

999Vladislav999

Greetings dear forum users!
I really need help. I use pfSense in my company, and we were obliged to put a certificate that monitors the activities of the organization’s employees, now I need to install this certificate in the milking root certification authorities. I am using pfSense 2.4 and cannot figure out where I need to install it. I don't know FreeBSD well, so I am contacting you for help.

[2.4.5-RELEASE][admin@si.ua/etc/ssl: date
Tue May 19 10:10:02 +03 2020
Updating pfSense-core repository catalogue...
Certificate verification failed for /C=KZ/ST=Nur-Sultan/O=STS/OU=HQ/CN=Intermediate for USIAG/emailAddress=support@sts.kz
34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /C=KZ/ST=Nur-Sultan/O=STS/OU=HQ/CN=Intermediate for USIAG/emailAddress=support@sts.kz
34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /C=KZ/ST=Nur-Sultan/O=STS/OU=HQ/CN=Intermediate for USIAG/emailAddress=support@sts.kz
34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
pkg: https://pkg.pfsense.org/pfSense_v2_4_5_amd64-core/meta.txz: Authentication error
repository pfSense-core has no meta file, using default settings
Certificate verification failed for /C=KZ/ST=Nur-Sultan/O=STS/OU=HQ/CN=Intermediate for USIAG/emailAddress=support@sts.kz
34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:

Gertjan

Hi !

@999Vladislav999 said in Adding a Trusted Root Certificate Authority Certificate:

and we were obliged to put a certificate that monitors the activities of the organization’s employees

Certificates can not monitor some one or something.
Plaese elaborate.

@999Vladislav999 said in Adding a Trusted Root Certificate Authority Certificate:

this certificate in the milking root certification authorities.

Major Google translate error ?
( certificates have nothing in common with cows neither )

@999Vladislav999 said in [Adding a Trusted Root Certificate Authority Certificate](/post/912878):
> [2.4.5-RELEASE][admin@si.ua/etc/ssl: date
> Tue May 19 10:10:02 +03 2020
> Updating pfSense-core repository catalogue...
> Certificate verification failed for /C=KZ/ST=Nur-Sultan/O=STS/OU=HQ/CN=Intermediate for
.......
USIAG/emailAddress=support@sts.kz
> 34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:

What are you doing ??

First things first.
Point a browser at http://192.168.1.1
pfSense administration is done using the GUI access.
You'll find the menu where you can create / import / export CA certs and more.

999Vladislav999

I'm going
System->Cert. Manager->Certificates->Add/Sign->Import an existing Certificate
but there you need to have public and private keys, I have only the public one, which is installed as for example in firefox, in trusted root certification authorities. The certificate that we are required to install controls the traffic, like a person in the middle, without installing this certificate, I can’t go to the Internet

999Vladislav999

This is done at the level of internet providers

999Vladislav999

Thanks for trying to help, I figured it out, it was necessary to add pem encoding along the path /usr/local/etc/ssl/cert.pem

viktor_g

@999Vladislav999 said in Adding a Trusted Root Certificate Authority Certificate:

Thanks for trying to help, I figured it out, it was necessary to add pem encoding along the path /usr/local/etc/ssl/cert.pem

Please check this https://redmine.pfsense.org/issues/4068

johnpoz

@999Vladislav999 said in Adding a Trusted Root Certificate Authority Certificate:

without installing this certificate, I can’t go to the Internet

Huh? How does installing a CA into pfsense get you internet access - just at a loss to what your doing at all..

And it sure and the hell doesn't belong in the TSNR section. Moving.

jimp

Adding their upstream provider proxy's snooping CA will let pfSense make HTTPS requests through their (compromised, insecure) proxy without using manual proxy settings.

There is no supported method for adding a CA that way on 2.4.5. The feature was recently implemented on 2.5.0.

johnpoz

Oh so pfsense can do its "own" traffic through the snooping upstream proxy... This would have zero to do with clients behind pfsense - those clients would need to trust this CA as well.. Because the upstream proxy is doing mitm..

What gov is this?