ACLs to limit users to cert manager only?

  • hey folks,
    After a few months of testing out different open PKI platforms I've realized the interface I like the most is built into my router. I love how pfSense handles certificates and management.

    I'd like to stand up a dedicated pfsense install on an internal network (IE: no routing, dns, DHCP needed, etc) and allow LDAP users to log in and get their own user certificates and/or submit a CSR to get a machine cert.

    It doesn't seem like there's an ACL for end-user access to the cert manager. My testing feels like allowing access to the users section and the certmanager is the equivalent of root access - is that accurate? Or is there a way to make my pfPKI dream a reality?

  • Rebel Alliance Developer Netgate

    What you are after is not possible because it's very weak from a security standpoint. You would be allowing anyone with LDAP credentials to download a certificate which could potentially gain them greater access. It effectively eliminates an additional security factor.

    Part of the security of certificates is protecting their distribution. Reducing that to only a username/password check (even on a local network) makes it little better than only using username/password to get into the VPN.

  • Thanks @jimp - I thought that was the case. I’ve been testing OpenXPKI which has role definitions. A user can request a cert and download a CA, for instance, but only an admin can actually a cert and download keys. I was hoping I might be able to accomplish the same thing with pfSense and it’s ACLs. Oh well, I’ll stick with trying to get OpenXPKI to work.

    (I still think pfSense’s cert manager could it be it’s own product - it’s so much better than anything else I’ve seen so far!)