Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ICA not shown when trying to sign request

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 3 Posters 652 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I Offline
      it_ib
      last edited by

      Hi there!
      We have an external CA imported, which is used to sign certificte requests for VPN.
      Now after a few months, I need to sign the request of a new client and the ICA-Cert is not shown anymore in "Sign a Certificate signing request".
      The CA which signed the ICA is shown and the internal.
      Both CA and ICA are valid.

      1 Reply Last reply Reply Quote 0
      • stephenw10S Offline
        stephenw10 Netgate Administrator
        last edited by

        Neither have expired?

        This is in 2.4.5p1 and was previously also?

        Steve

        I 1 Reply Last reply Reply Quote 0
        • I Offline
          it_ib @stephenw10
          last edited by

          Its 2.4.5p1, the certs expire in 18 Months.
          I don't know when i updated to this version, can't really tell, when this behaviour occured first.
          Even re-importing the ICA didn't work.
          My problem while I need it this way is, Windows-Computers get their machine cert from AD, which is used for Auth VPN IPSec Mobile on the PF.
          MACs don't get their cert from AD, so I inported the AD ICA to the PF and create and sign the certs for MAC on th PF.

          I managed to manually sign the request created on the PF in the AD by setting all the additional attributes I use in IPSec Mobiles. So at the moment, there is no time critical pressure, but I want to know what happened to my ICA-cert...

          viktor_gV 1 Reply Last reply Reply Quote 0
          • viktor_gV Offline
            viktor_g Netgate @it_ib
            last edited by

            @it_ib

            Can you see ICA on the System / Cert Manager / CAs page?

            Could you show the openssl x509 -in icacert.crt -text -noout output?

            I 1 Reply Last reply Reply Quote 0
            • I Offline
              it_ib @viktor_g
              last edited by

              @viktor_g said in ICA not shown when trying to sign request:

              x509 -in icacert.crt -text -noout

              Certificate:
                  Data:
                      Version: 3 (0x2)
                      Serial Number:
                          36:00:01:bc:8b:70:7a:1d:79:d8:c7:07:77:00:01:00:01:bc:8b
                  Signature Algorithm: sha256WithRSAEncryption
                      Issuer: DC = local, DC =<removed>, CN = <removed>
                      Validity
                          Not Before: Feb  8 08:11:23 2021 GMT
                          Not After : Feb  8 08:21:23 2023 GMT
                      Subject: DC = local, DC = <removed>, CN = <removed>
                      Subject Public Key Info:
                          Public Key Algorithm: rsaEncryption
                              Public-Key: (2048 bit)
                              Modulus:
                                  <removed>
                              Exponent: 65537 (0x10001)
                      X509v3 extensions:
                          1.3.6.1.4.1.311.21.1:
                              .....
                          1.3.6.1.4.1.311.21.2:
                              ..\&..".4...tF......\\
                          X509v3 Subject Key Identifier:
                              <removed>
                              .
              .S.u.b.C.A
                          X509v3 Key Usage:
                              Digital Signature, Certificate Sign, CRL Sign
                          X509v3 Basic Constraints: critical
                              CA:TRUE
                          X509v3 Authority Key Identifier:
                              <removed>
              
                          X509v3 CRL Distribution Points:
              
                              Full Name:
                                URI:<removed>
                          Authority Information Access:
                              CA Issuers - URI:<removed>
              
                  Signature Algorithm: sha256WithRSAEncryption
                       <removed>
              
              viktor_gV 1 Reply Last reply Reply Quote 0
              • viktor_gV Offline
                viktor_g Netgate @it_ib
                last edited by

                @it_ib Please check that you have private key for this CA

                I 1 Reply Last reply Reply Quote 0
                • I Offline
                  it_ib @viktor_g
                  last edited by

                  @viktor_g
                  I could export the cert with key from AD and split it.
                  But I didn't need to import the PK before.
                  The field says "Optional".
                  It worked before without PK.

                  viktor_gV 1 Reply Last reply Reply Quote 0
                  • viktor_gV Offline
                    viktor_g Netgate @it_ib
                    last edited by

                    @it_ib You need the private CA key to sign the CSR

                    see https://docs.netgate.com/pfsense/en/latest/certificates/certificate.html#sign-a-certificate-signing-request:

                    Sign a Certificate Signing Request
                    Signing a certificate signing request (CSR) is a special process which uses an internal CA on the firewall to sign a CSR and turn it into a full-fledged certificate.

                    The following options are available when signing a CSR:

                    CA to sign with
                    The CA on the firewall which will sign this CSR. This must be an internal CA (private key present).

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.