ICA not shown when trying to sign request

it_ib

Hi there!
We have an external CA imported, which is used to sign certificte requests for VPN.
Now after a few months, I need to sign the request of a new client and the ICA-Cert is not shown anymore in "Sign a Certificate signing request".
The CA which signed the ICA is shown and the internal.
Both CA and ICA are valid.

stephenw10

Neither have expired?

This is in 2.4.5p1 and was previously also?

Steve

it_ib

Its 2.4.5p1, the certs expire in 18 Months.
I don't know when i updated to this version, can't really tell, when this behaviour occured first.
Even re-importing the ICA didn't work.
My problem while I need it this way is, Windows-Computers get their machine cert from AD, which is used for Auth VPN IPSec Mobile on the PF.
MACs don't get their cert from AD, so I inported the AD ICA to the PF and create and sign the certs for MAC on th PF.

I managed to manually sign the request created on the PF in the AD by setting all the additional attributes I use in IPSec Mobiles. So at the moment, there is no time critical pressure, but I want to know what happened to my ICA-cert...

viktor_g

@it_ib

Can you see ICA on the System / Cert Manager / CAs page?

Could you show the openssl x509 -in icacert.crt -text -noout output?

it_ib

@viktor_g said in ICA not shown when trying to sign request:

x509 -in icacert.crt -text -noout

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            36:00:01:bc:8b:70:7a:1d:79:d8:c7:07:77:00:01:00:01:bc:8b
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC = local, DC =<removed>, CN = <removed>
        Validity
            Not Before: Feb  8 08:11:23 2021 GMT
            Not After : Feb  8 08:21:23 2023 GMT
        Subject: DC = local, DC = <removed>, CN = <removed>
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    <removed>
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            1.3.6.1.4.1.311.21.1:
                .....
            1.3.6.1.4.1.311.21.2:
                ..\&..".4...tF......\\
            X509v3 Subject Key Identifier:
                <removed>
                .
.S.u.b.C.A
            X509v3 Key Usage:
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Authority Key Identifier:
                <removed>

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:<removed>
            Authority Information Access:
                CA Issuers - URI:<removed>

    Signature Algorithm: sha256WithRSAEncryption
         <removed>

viktor_g

@it_ib Please check that you have private key for this CA

it_ib

@viktor_g
I could export the cert with key from AD and split it.
But I didn't need to import the PK before.
The field says "Optional".
It worked before without PK.

viktor_g

@it_ib You need the private CA key to sign the CSR

see https://docs.netgate.com/pfsense/en/latest/certificates/certificate.html#sign-a-certificate-signing-request:

Sign a Certificate Signing Request
Signing a certificate signing request (CSR) is a special process which uses an internal CA on the firewall to sign a CSR and turn it into a full-fledged certificate.

The following options are available when signing a CSR:

CA to sign with
The CA on the firewall which will sign this CSR. This must be an internal CA (private key present).