Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Adding a Trusted Root Certificate Authority Certificate

    Scheduled Pinned Locked Moved General pfSense Questions
    9 Posts 5 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 9
      999Vladislav999
      last edited by

      Greetings dear forum users!
      I really need help. I use pfSense in my company, and we were obliged to put a certificate that monitors the activities of the organization’s employees, now I need to install this certificate in the milking root certification authorities. I am using pfSense 2.4 and cannot figure out where I need to install it. I don't know FreeBSD well, so I am contacting you for help.

      [2.4.5-RELEASE][admin@si.ua/etc/ssl: date
      Tue May 19 10:10:02 +03 2020
      Updating pfSense-core repository catalogue...
      Certificate verification failed for /C=KZ/ST=Nur-Sultan/O=STS/OU=HQ/CN=Intermediate for USIAG/emailAddress=support@sts.kz
      34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
      Certificate verification failed for /C=KZ/ST=Nur-Sultan/O=STS/OU=HQ/CN=Intermediate for USIAG/emailAddress=support@sts.kz
      34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
      Certificate verification failed for /C=KZ/ST=Nur-Sultan/O=STS/OU=HQ/CN=Intermediate for USIAG/emailAddress=support@sts.kz
      34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
      pkg: https://pkg.pfsense.org/pfSense_v2_4_5_amd64-core/meta.txz: Authentication error
      repository pfSense-core has no meta file, using default settings
      Certificate verification failed for /C=KZ/ST=Nur-Sultan/O=STS/OU=HQ/CN=Intermediate for USIAG/emailAddress=support@sts.kz
      34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by

        Hi !

        @999Vladislav999 said in Adding a Trusted Root Certificate Authority Certificate:

        and we were obliged to put a certificate that monitors the activities of the organization’s employees

        Certificates can not monitor some one or something.
        Plaese elaborate.

        @999Vladislav999 said in Adding a Trusted Root Certificate Authority Certificate:

        this certificate in the milking root certification authorities.

        Major Google translate error ?
        ( certificates have nothing in common with cows neither )

        @999Vladislav999 said in [Adding a Trusted Root Certificate Authority Certificate](/post/912878):
        > [2.4.5-RELEASE][admin@si.ua/etc/ssl: date
        > Tue May 19 10:10:02 +03 2020
        > Updating pfSense-core repository catalogue...
        > Certificate verification failed for /C=KZ/ST=Nur-Sultan/O=STS/OU=HQ/CN=Intermediate for
        .......
        USIAG/emailAddress=support@sts.kz
        > 34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
        

        What are you doing ??

        First things first.
        Point a browser at http://192.168.1.1
        pfSense administration is done using the GUI access.
        You'll find the menu where you can create / import / export CA certs and more.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • 9
          999Vladislav999
          last edited by

          I'm going
          System->Cert. Manager->Certificates->Add/Sign->Import an existing Certificate
          but there you need to have public and private keys, I have only the public one, which is installed as for example in firefox, in trusted root certification authorities. The certificate that we are required to install controls the traffic, like a person in the middle, without installing this certificate, I can’t go to the Internet

          1 Reply Last reply Reply Quote 0
          • 9
            999Vladislav999
            last edited by

            This is done at the level of internet providers

            1 Reply Last reply Reply Quote 0
            • 9
              999Vladislav999
              last edited by

              Thanks for trying to help, I figured it out, it was necessary to add pem encoding along the path /usr/local/etc/ssl/cert.pem

              viktor_gV 1 Reply Last reply Reply Quote 0
              • viktor_gV
                viktor_g Netgate @999Vladislav999
                last edited by

                @999Vladislav999 said in Adding a Trusted Root Certificate Authority Certificate:

                Thanks for trying to help, I figured it out, it was necessary to add pem encoding along the path /usr/local/etc/ssl/cert.pem

                Please check this https://redmine.pfsense.org/issues/4068

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by johnpoz

                  @999Vladislav999 said in Adding a Trusted Root Certificate Authority Certificate:

                  without installing this certificate, I can’t go to the Internet

                  Huh? How does installing a CA into pfsense get you internet access - just at a loss to what your doing at all..

                  And it sure and the hell doesn't belong in the TSNR section. Moving.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    Adding their upstream provider proxy's snooping CA will let pfSense make HTTPS requests through their (compromised, insecure) proxy without using manual proxy settings.

                    There is no supported method for adding a CA that way on 2.4.5. The feature was recently implemented on 2.5.0.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      Oh so pfsense can do its "own" traffic through the snooping upstream proxy... This would have zero to do with clients behind pfsense - those clients would need to trust this CA as well.. Because the upstream proxy is doing mitm..

                      What gov is this?

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                      1 Reply Last reply Reply Quote 0
                      • R reqman referenced this topic on
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.