Not able to import CA certificate to use for OpenVPN Client
-
@johnpoz said in Not able to import CA certificate to use for OpenVPN Client:
basicConstraints=CA:true
Ok, thx. for that info. I will forward this....
-
I also mentioned this bug fix in my first message because I thought - then - that there is a distinction between 'usable' (-> make new signed certificates from this ca with help of pfSense and the provided private key for it) and 'trusted only' (chek if used as root for other certs). Then it could make sense only to check this "CA bit" if you also enter a private key on import ...
@RobertK66 said in Not able to import CA certificate to use for OpenVPN Client:
It seems that this issue: https://redmine.pfsense.org/issues/7885 introduced a check that my ca does not pass! But why is this? It's a valid cert and it was used to create my client/server certs ( I do not need it as a 'usable CA' as the bug report askes for to be checked when importing CAs).
Is there some other way I can import my CA as 'trusted CA' only and not as 'usable Ca'!?... but as I learned now. Every CA has to set its "basicConstraints=CA:true" to be accepted as CA. Thx. again for clarifying that.
-
I can't vouch that it wouldn't break anything but you could just edit the system_camanager.php page and comment out the validation check https://github.com/pfsense/pfsense/blob/master/src/usr/local/www/system_camanager.php#L171
Then import it. I don't recall if it's checked before use in OpenVPN frontend or backend so there may be some other similar checks to edit.
But the real fix is to use a proper cert. Just because OpenVPN/OpenSSL allows it today doesn't mean it always will.
