Adding a Trusted Root Certificate Authority Certificate

999Vladislav999 · May 19, 2020, 10:16 AM

Greetings dear forum users!
I really need help. I use pfSense in my company, and we were obliged to put a certificate that monitors the activities of the organization’s employees, now I need to install this certificate in the milking root certification authorities. I am using pfSense 2.4 and cannot figure out where I need to install it. I don't know FreeBSD well, so I am contacting you for help.

[2.4.5-RELEASE][admin@si.ua/etc/ssl: date
Tue May 19 10:10:02 +03 2020
Updating pfSense-core repository catalogue...
Certificate verification failed for /C=KZ/ST=Nur-Sultan/O=STS/OU=HQ/CN=Intermediate for USIAG/emailAddress=support@sts.kz
34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /C=KZ/ST=Nur-Sultan/O=STS/OU=HQ/CN=Intermediate for USIAG/emailAddress=support@sts.kz
34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /C=KZ/ST=Nur-Sultan/O=STS/OU=HQ/CN=Intermediate for USIAG/emailAddress=support@sts.kz
34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
pkg: https://pkg.pfsense.org/pfSense_v2_4_5_amd64-core/meta.txz: Authentication error
repository pfSense-core has no meta file, using default settings
Certificate verification failed for /C=KZ/ST=Nur-Sultan/O=STS/OU=HQ/CN=Intermediate for USIAG/emailAddress=support@sts.kz
34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:

Gertjan · May 19, 2020, 10:30 AM

Hi !

@999Vladislav999 said in Adding a Trusted Root Certificate Authority Certificate:

and we were obliged to put a certificate that monitors the activities of the organization’s employees

Certificates can not monitor some one or something.
Plaese elaborate.

@999Vladislav999 said in Adding a Trusted Root Certificate Authority Certificate:

this certificate in the milking root certification authorities.

Major Google translate error ?
( certificates have nothing in common with cows neither )

@999Vladislav999 said in [Adding a Trusted Root Certificate Authority Certificate](/post/912878):
> [2.4.5-RELEASE][admin@si.ua/etc/ssl: date
> Tue May 19 10:10:02 +03 2020
> Updating pfSense-core repository catalogue...
> Certificate verification failed for /C=KZ/ST=Nur-Sultan/O=STS/OU=HQ/CN=Intermediate for
.......
USIAG/emailAddress=support@sts.kz
> 34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:

What are you doing ??

First things first.
Point a browser at http://192.168.1.1
pfSense administration is done using the GUI access.
You'll find the menu where you can create / import / export CA certs and more.

999Vladislav999 · May 19, 2020, 10:44 AM

I'm going
System->Cert. Manager->Certificates->Add/Sign->Import an existing Certificate
but there you need to have public and private keys, I have only the public one, which is installed as for example in firefox, in trusted root certification authorities. The certificate that we are required to install controls the traffic, like a person in the middle, without installing this certificate, I can’t go to the Internet

999Vladislav999 · May 19, 2020, 10:54 AM

This is done at the level of internet providers

999Vladislav999 · May 19, 2020, 11:24 AM

Thanks for trying to help, I figured it out, it was necessary to add pem encoding along the path /usr/local/etc/ssl/cert.pem

viktor_g · May 19, 2020, 11:39 AM

@999Vladislav999 said in Adding a Trusted Root Certificate Authority Certificate:

Thanks for trying to help, I figured it out, it was necessary to add pem encoding along the path /usr/local/etc/ssl/cert.pem

Please check this https://redmine.pfsense.org/issues/4068

johnpoz · May 19, 2020, 12:36 PM

@999Vladislav999 said in Adding a Trusted Root Certificate Authority Certificate:

without installing this certificate, I can’t go to the Internet

Huh? How does installing a CA into pfsense get you internet access - just at a loss to what your doing at all..

And it sure and the hell doesn't belong in the TSNR section. Moving.

jimp · May 19, 2020, 7:37 PM

Adding their upstream provider proxy's snooping CA will let pfSense make HTTPS requests through their (compromised, insecure) proxy without using manual proxy settings.

There is no supported method for adding a CA that way on 2.4.5. The feature was recently implemented on 2.5.0.

johnpoz · May 20, 2020, 9:11 AM

Oh so pfsense can do its "own" traffic through the snooping upstream proxy... This would have zero to do with clients behind pfsense - those clients would need to trust this CA as well.. Because the upstream proxy is doing mitm..

What gov is this?