• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Adding a Trusted Root Certificate Authority Certificate

Scheduled Pinned Locked Moved General pfSense Questions
9 Posts 5 Posters 1.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • 9
    999Vladislav999
    last edited by May 19, 2020, 10:16 AM

    Greetings dear forum users!
    I really need help. I use pfSense in my company, and we were obliged to put a certificate that monitors the activities of the organization’s employees, now I need to install this certificate in the milking root certification authorities. I am using pfSense 2.4 and cannot figure out where I need to install it. I don't know FreeBSD well, so I am contacting you for help.

    [2.4.5-RELEASE][admin@si.ua/etc/ssl: date
    Tue May 19 10:10:02 +03 2020
    Updating pfSense-core repository catalogue...
    Certificate verification failed for /C=KZ/ST=Nur-Sultan/O=STS/OU=HQ/CN=Intermediate for USIAG/emailAddress=support@sts.kz
    34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
    Certificate verification failed for /C=KZ/ST=Nur-Sultan/O=STS/OU=HQ/CN=Intermediate for USIAG/emailAddress=support@sts.kz
    34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
    Certificate verification failed for /C=KZ/ST=Nur-Sultan/O=STS/OU=HQ/CN=Intermediate for USIAG/emailAddress=support@sts.kz
    34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
    pkg: https://pkg.pfsense.org/pfSense_v2_4_5_amd64-core/meta.txz: Authentication error
    repository pfSense-core has no meta file, using default settings
    Certificate verification failed for /C=KZ/ST=Nur-Sultan/O=STS/OU=HQ/CN=Intermediate for USIAG/emailAddress=support@sts.kz
    34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:

    1 Reply Last reply Reply Quote 0
    • G
      Gertjan
      last edited by May 19, 2020, 10:30 AM

      Hi !

      @999Vladislav999 said in Adding a Trusted Root Certificate Authority Certificate:

      and we were obliged to put a certificate that monitors the activities of the organization’s employees

      Certificates can not monitor some one or something.
      Plaese elaborate.

      @999Vladislav999 said in Adding a Trusted Root Certificate Authority Certificate:

      this certificate in the milking root certification authorities.

      Major Google translate error ?
      ( certificates have nothing in common with cows neither )

      @999Vladislav999 said in [Adding a Trusted Root Certificate Authority Certificate](/post/912878):
      > [2.4.5-RELEASE][admin@si.ua/etc/ssl: date
      > Tue May 19 10:10:02 +03 2020
      > Updating pfSense-core repository catalogue...
      > Certificate verification failed for /C=KZ/ST=Nur-Sultan/O=STS/OU=HQ/CN=Intermediate for
      .......
      USIAG/emailAddress=support@sts.kz
      > 34404134216:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/build/ce-crossbuild-245/sources/FreeBSD-src/crypto/openssl/ssl/s3_clnt.c:1269:
      

      What are you doing ??

      First things first.
      Point a browser at http://192.168.1.1
      pfSense administration is done using the GUI access.
      You'll find the menu where you can create / import / export CA certs and more.

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      1 Reply Last reply Reply Quote 0
      • 9
        999Vladislav999
        last edited by May 19, 2020, 10:44 AM

        I'm going
        System->Cert. Manager->Certificates->Add/Sign->Import an existing Certificate
        but there you need to have public and private keys, I have only the public one, which is installed as for example in firefox, in trusted root certification authorities. The certificate that we are required to install controls the traffic, like a person in the middle, without installing this certificate, I can’t go to the Internet

        1 Reply Last reply Reply Quote 0
        • 9
          999Vladislav999
          last edited by May 19, 2020, 10:54 AM

          This is done at the level of internet providers

          1 Reply Last reply Reply Quote 0
          • 9
            999Vladislav999
            last edited by May 19, 2020, 11:24 AM

            Thanks for trying to help, I figured it out, it was necessary to add pem encoding along the path /usr/local/etc/ssl/cert.pem

            V 1 Reply Last reply May 19, 2020, 11:39 AM Reply Quote 0
            • V
              viktor_g Netgate @999Vladislav999
              last edited by May 19, 2020, 11:39 AM

              @999Vladislav999 said in Adding a Trusted Root Certificate Authority Certificate:

              Thanks for trying to help, I figured it out, it was necessary to add pem encoding along the path /usr/local/etc/ssl/cert.pem

              Please check this https://redmine.pfsense.org/issues/4068

              1 Reply Last reply Reply Quote 0
              • J
                johnpoz LAYER 8 Global Moderator
                last edited by johnpoz May 19, 2020, 12:36 PM May 19, 2020, 12:36 PM

                @999Vladislav999 said in Adding a Trusted Root Certificate Authority Certificate:

                without installing this certificate, I can’t go to the Internet

                Huh? How does installing a CA into pfsense get you internet access - just at a loss to what your doing at all..

                And it sure and the hell doesn't belong in the TSNR section. Moving.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • J
                  jimp Rebel Alliance Developer Netgate
                  last edited by May 19, 2020, 7:37 PM

                  Adding their upstream provider proxy's snooping CA will let pfSense make HTTPS requests through their (compromised, insecure) proxy without using manual proxy settings.

                  There is no supported method for adding a CA that way on 2.4.5. The feature was recently implemented on 2.5.0.

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • J
                    johnpoz LAYER 8 Global Moderator
                    last edited by May 20, 2020, 9:11 AM

                    Oh so pfsense can do its "own" traffic through the snooping upstream proxy... This would have zero to do with clients behind pfsense - those clients would need to trust this CA as well.. Because the upstream proxy is doing mitm..

                    What gov is this?

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • R reqman referenced this topic on Nov 27, 2023, 8:22 AM
                    9 out of 9
                    • First post
                      9/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received