Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    How renew date expiration of Certificate Authorities, OpenVpn Server Certificates and User Certificates in pfSense?

    General pfSense Questions
    5
    31
    530
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      ramses.sevilla last edited by

      Hi everyone,

      First, I want tell you that I haven't experience with certificates.

      I have a pfSense 2.4.5-RELEASE-p1 with two Certificate Authorities that expire next year. These CA has been used to generate the certificates of two OpenVPN Servers and the Users Certificates that expire next year too.

      Can I change or expand the expire date of the Certificate Authorities, OpenVpn Server Certificates and User Certificates in pfSense ?

      If yes, how can I do this?

      Best regards

      1 Reply Last reply Reply Quote 0
      • V
        viragomann last edited by

        @ramses-sevilla
        Update to 2.5 before expiration:
        https://github.com/pfsense/docs/blob/master/source/releases/2-5-0-new-features-and-changes.rst

        1 Reply Last reply Reply Quote 0
        • jimp
          jimp Rebel Alliance Developer Netgate last edited by

          On 2.5.0 you can renew CA and certificate entries in-place. You will need to give new copies of the entries to the clients who need them, though, since the certs will be different, even if their content is the same (except the dates)

          1 Reply Last reply Reply Quote 1
          • R
            ramses.sevilla last edited by

            Hi,

            I have a pfSense 2.4.5_1 with OpenVPN Server in production.

            This pfSense have:

            Certificate Authorities --> ca-prod-1 --> Valid from: 23 Apr 2020 --> Valid Until: 21 Apr 2030 (Internal) --> OpenVPN Server

            Server Certificate (OpenVPN) --> srv-prod-1 --> Valid from: 23 Apr 2020 --> Valid Until: 21 Apr 2030

            User Certificate --> usr-prod-1 --> Valid from: 23 Apr 2020 --> Valid Until: 21 Apr 2030

            Certificate Authorities --> ca-prod-2 --> Valid from: 21 May 2002 --> Valid Until: 16 May 2022 (External) --> IPsec Tunnel

            IPsec Tunnel --> ip-prod-2 --> Valid from: 18 Sep 2019 --> Valid Until: 16 May 2022 (External) --> IPsec Tunnel

            What would happend if expire the CA, Certificate OpenVPN Server or User Certificates date?. Would it stop working the OpenVPN Server or could not connect the Users to the OpenVPN Server?

            To update the expiration date of the CA and the certificates recommended me that update to pfSense 2.5.0

            I have see in the forum that thre are some problems with the update to 2.5 with hardware (SuperServer 5018D-FN8T), IPsec and DHCP Relay that I use in my production environment.

            I have updated to pfSense 2.5.0 a test environment to view the renew feature and I have some boubts:

            • If I renew the CA, would something stop working?

            • If I renew the Certificate OpenVPN Server, would something stop working?

            • If I renew the User Certificates, would something stop working?

            As I said before, I haven't experience with certificates.

            Sorry if my English is not very good.

            Best regards

            Gertjan 1 Reply Last reply Reply Quote 0
            • Gertjan
              Gertjan @ramses.sevilla last edited by

              What you could do, without any risk :

              Make a backup of the pfSense config.
              Basically, no joke, but just did half of the work.

              Now : remove from every user in the user manager the certificate used for the VPN access.
              When they are all removed from all the users, you can remove the 'per user' certificates.

              This is such a certificate :

              88e249a5-1a9d-420c-a83b-48da5afd8e0e-image.png

              Their will be a certificate per OpenVPN user.

              When this is done, you can remove the "main" OpenVPN certificate that is based of the CA OpenVPN certificate.

              This one :

              be054bdb-eca1-422a-ae95-27deb0202c68-image.png

              Now, goto the CA tab and you will be able to remove the OpenVPN certificate.

              This one :

              d0eaf5e0-ad95-4380-b9b5-ebbed07d99d3-image.png

              Btw : these certificates are all "10 years" or so.


              Now, same thing, in de reverse order.
              Create a "OpenVPN" CA (on the CA tab).
              Make a new "OpenVPN" certificate (on the Certificate tab).
              Goto the User manager, and for every OpenVPN user, create/add a new certificate, based on the "OpenVPN" certificate.
              Export a OpenVPN config file.
              Test it for this one user.
              Deploy the config files to all the users (and while doing so, check all the user install for the latest OpenVPN client version, etc etc).

              Something goes wrong ?
              Just import the config backup - reboot - and your back where you started.

              Btw : this took more time to type as to do it.
              True : it seems 2.5.0 add 'renews' all over the place. Didn't test them yet.
              I'll give it a go in 2027 or so.

              R 1 Reply Last reply Reply Quote 0
              • R
                ramses.sevilla @Gertjan last edited by

                @gertjan thanks so much by your answer.

                Your solution has a problem for me and It is that I have over 300 OpenVpn Users.

                I am looking for another solution that permit me renew the expire date of the CA, Server and User Certificates without stop working.

                Is this possible?

                How can I do?

                Best regards

                1 Reply Last reply Reply Quote 0
                • jimp
                  jimp Rebel Alliance Developer Netgate last edited by

                  If you renew the CA but all the details stay the same it should continue to work, but in some cases you may have to copy the new CA to clients. Certificates will still see they are signed by the CA even after renewal since it's just renewed, not a different CA.

                  Server certificates (GUI, OpenVPN, mobile IPsec, etc) can be renewed at any time, those aren't copied to clients.

                  If you renew a user certificate you will have to copy the renewed certificate to the client, you can't avoid that.

                  There isn't a way to do batch operations like mass renew in the GUI or shell currently.

                  R 1 Reply Last reply Reply Quote 0
                  • R
                    ramses.sevilla @jimp last edited by

                    @jimp I am checking in a testing environment the renew certificate option in pfSense 2.5.0.

                    The CA Certificate renew, apparently, it does success.

                    The User Certificate renew, apparently, it does success.

                    But when I try renew the Server Certificate used by the OpenVPN server the following error is displayed:

                    a7f5478f-f732-475f-901d-8c9e70f0fa20-imagen.png

                    And I can't renew the Server Certificate used by the OpenVPN Server.

                    What could it be?

                    Best regards

                    1 Reply Last reply Reply Quote 0
                    • jimp
                      jimp Rebel Alliance Developer Netgate last edited by

                      I'm not aware of what might cause that general error. There may be some aspect of the certificate that is deprecated or no longer supported in OpenSSL for new certs. Hard to say without more details.

                      R 1 Reply Last reply Reply Quote 0
                      • R
                        ramses.sevilla @jimp last edited by

                        @jimp What more details do you need know about the server certificate?

                        The certificate were created in pfSense 2.4.5-p1, in the proccess of create the OpenVPN Server, before update to pfSense 2.5.0.

                        Regards

                        Gertjan 1 Reply Last reply Reply Quote 0
                        • Gertjan
                          Gertjan @ramses.sevilla last edited by

                          @ramses-sevilla
                          Aren't these valid like 'ten years' or so ?
                          See my image above.

                          R 1 Reply Last reply Reply Quote 0
                          • R
                            ramses.sevilla @Gertjan last edited by

                            @gertjan

                            Yes, this server certificate is valid for ten years but I am testing the renew certificates option that has been introduced in pfSense 2.5.0 and I can renew de CA Certificate and the User Certificate but when I try to renew the OpenVPN Server Certificate the following error is displayed:

                            e4a949dc-f0e6-49fb-aa3e-b1f7097a4f35-imagen.png

                            And I don't know why.

                            Best regards

                            provels 1 Reply Last reply Reply Quote 0
                            • provels
                              provels @ramses.sevilla last edited by

                              @ramses-sevilla
                              Just a guess, but have you tried disabling the server before renewing the certificate?

                              jimp 1 Reply Last reply Reply Quote 0
                              • jimp
                                jimp Rebel Alliance Developer Netgate @provels last edited by

                                @ramses-sevilla said in How renew date expiration of Certificate Authorities, OpenVpn Server Certificates and User Certificates in pfSense?:

                                Yes, this server certificate is valid for ten years but I am testing the renew certificates option that has been introduced in pfSense 2.5.0 and I can renew de CA Certificate and the User Certificate but when I try to renew the OpenVPN Server Certificate the following error is displayed:

                                Can you share the details of the certificate as shown in the GUI list and info box (click the "i" icon)? Nothing I have tried has resulted in that error.

                                @provels said in How renew date expiration of Certificate Authorities, OpenVpn Server Certificates and User Certificates in pfSense?:

                                @ramses-sevilla
                                Just a guess, but have you tried disabling the server before renewing the certificate?

                                That's not necessary, the renewal process will restart servers using the certificate afterward.

                                R 1 Reply Last reply Reply Quote 1
                                • R
                                  ramses.sevilla @jimp last edited by

                                  @jimp

                                  fb732610-266e-4f94-8eb6-f4f216c4d941-imagen.png

                                  08f60502-4e80-40ee-9214-8eccedbf5f0d-imagen.png

                                  @provels

                                  Yes, I have tried:

                                  • Stopping the server.
                                  • Disabling the server.

                                  And I have created a new Server Certificate in pfSense 2.5.0 and I have tried to renew this new Server Certificate and It shows me the same error.

                                  Has anyone tried to renew a Server Certificate in pfSense 2.5.0?

                                  Regards

                                  1 Reply Last reply Reply Quote 0
                                  • jimp
                                    jimp Rebel Alliance Developer Netgate last edited by

                                    I have renewed all kinds of certificates, server and otherwise, in 2.5 and they all work for me. Which leads me to believe it's something in your certificate data triggering the problem.

                                    Can you try adjusting the CN so it doesn't have a space in it?

                                    Not that it should be a problem but typically that's a short name or hostname and not a string like that. I can't recall if I tested that sort of value.

                                    R 1 Reply Last reply Reply Quote 0
                                    • jimp
                                      jimp Rebel Alliance Developer Netgate last edited by

                                      It's definitely the space in the CN doing it. I can reproduce that here:

                                      https://redmine.pfsense.org/issues/11652

                                      1 Reply Last reply Reply Quote 0
                                      • R
                                        ramses.sevilla @jimp last edited by

                                        @jimp

                                        To adjust the CN I need create a new certificate, isn't it?

                                        I can't modify the CN of the Server Certificate, isn't it?

                                        The CA has space in the CN and renews the certificate without problem.

                                        I have created a new certificate without spaces in the CN and renews fine.

                                        Will the problem be solved?

                                        Best regards

                                        1 Reply Last reply Reply Quote 0
                                        • jimp
                                          jimp Rebel Alliance Developer Netgate last edited by

                                          @ramses-sevilla said in How renew date expiration of Certificate Authorities, OpenVpn Server Certificates and User Certificates in pfSense?:

                                          @jimp

                                          To adjust the CN I need create a new certificate, isn't it?

                                          Yes, but since it's a server certificate which doesn't need to be sent to clients, that's typically easy, make a new cert, pick it to be used as the server cert, and that's it.

                                          I can't modify the CN of the Server Certificate, isn't it?

                                          Correct.

                                          The CA has space in the CN and renews the certificate without problem.

                                          That's expected as a CA is a different type of entry from a certificate, certificates have a lot more data in them and a lot more to go wrong.

                                          Will the problem be solved?

                                          Yes, I tracked it down further and the real problem is a lack of SAN entries in the certificate. Normally it will take the common name and add that as a SAN entry, but in these cases that kind of common name cannot be a valid SAN entry. The SAN list ends up empty since there are no manual entries nor the entry for the CN. The certificate renewal code was assuming all certificates have a SAN, which in these cases is not true.

                                          You can install the System Patches package and then create an entry for 09d3fe621a56292817a85a54916e8b99e2b26c00 to apply the fix. With that fix applied, you can renew certificates with spaces or x509-escaped characters in their CN which lack SANs.

                                          R 1 Reply Last reply Reply Quote 1
                                          • R
                                            ramses.sevilla @jimp last edited by

                                            @jimp

                                            I have applied the patch and now I can renew the Server Certificate fine in my testing environment.

                                            I have the production environment with a cluster in pfSense 2.4.5-p1. I had thought update to pfSense 2.5.0 because I need renew CA, Server and User Certificates but I have seen in the forum that the update to pfSense 2.5.0 break some services (Hardware, IPsec, DHCP Relay,...) that I have configured in my environment.

                                            I have some doubts:

                                            • Do you recommends me wait to the next pfSense version?

                                            • Will all patches be included in the next version?

                                            • How long will it take to get out the next version?

                                            • Can I renew a Certificate without problems if It has expired?

                                            Best regards

                                            jimp 1 Reply Last reply Reply Quote 0
                                            • jimp
                                              jimp Rebel Alliance Developer Netgate @ramses.sevilla last edited by

                                              @ramses-sevilla said in How renew date expiration of Certificate Authorities, OpenVpn Server Certificates and User Certificates in pfSense?:

                                              Do you recommends me wait to the next pfSense version?

                                              That's up to you.

                                              Will all patches be included in the next version?

                                              This fix will be, but not every single commit that's happened recently. Primary focus is on fixing regressions and other important behavior that isn't functioning properly.

                                              How long will it take to get out the next version?

                                              Not too long, but we don't have a firm ETA. Sometime in the next few weeks, most likely.

                                              Can I renew a Certificate without problems if It has expired?

                                              Yes, though if you wait until it expires, it may be rejected by clients after it expires.

                                              You could renew the certificate on a 2.5 lab system and then copy the certificate back over into the older configuration and use it there in the meantime.

                                              R 1 Reply Last reply Reply Quote 1
                                              • R
                                                ramses.sevilla @jimp last edited by

                                                @jimp

                                                Well, recopiling...

                                                I have a pfSense 2.4.5_1 cluster with OpenVPN Server in production.

                                                This pfSense have:

                                                Certificate Authorities --> ca-prod-1 --> Valid from: 23 Apr 2020 --> Valid Until: 21 Apr 2030 (Internal) --> OpenVPN Server

                                                Server Certificate (OpenVPN) --> srv-prod-1 --> Valid from: 23 Apr 2020 --> Valid Until: 21 Apr 2030

                                                User Certificate --> usr-prod-1 --> Valid from: 23 Apr 2020 --> Valid Until: 21 Apr 2030

                                                To renew the Expiration Date of the Certificates, I need:

                                                • First.- I need renew the Expiration Date of the Certificate Authority. I don't need send nothing to the OpenVPN Client nor modify nothing in the OpenVPN Server and everything will continue working fine. Right?

                                                • Second.- I need renew the Expiration Date of the Server Certificate. I don't need send nothing to the OpenVPN Client nor modify nothing in the OpenVPN Server and everything will continue working fine. Right?

                                                • Third.- I need renew the Expiration Date of the User Certificates. I need resend each renewed certificate to the user. Right?

                                                • Doubts:

                                                If expires the Expiration Date of the User Certificate, can I renew and send the renewed certificate later?.

                                                What would happen if the Certificate Authoritie expires?. Would everything still working?. Can I renew the Certificate Authoritie later?

                                                What would happen if the Server Certificate expires?. Would everything still working?. Can I renew the Server Certificate later?

                                                Best regards

                                                1 Reply Last reply Reply Quote 0
                                                • R
                                                  ramses.sevilla last edited by

                                                  @jimp thanks so much by your answers.

                                                  I have other issues renewing Certificates.

                                                  When I create a new User and I check the option of create Centificate, I select this options:

                                                  9aad314f-065e-41fc-a84a-4ecc95b0d341-imagen.png

                                                  If I go to "VPN > OpenVPN > Client Export" the new User appear to export it:

                                                  48fe19b4-9bf0-48d6-b1c8-56877a13300d-imagen.png

                                                  Well, if I try renew the Certificate of the new User (usuario2) it shows this:

                                                  77d5a147-1805-418b-a9c4-2876d60d1793-imagen.png

                                                  But I have selected Digest SHA256 when I have created the new User (usuario2).

                                                  If I renew the Certificate of the new User and later go to "VPN > OpenVPN > Client Export", the new User (usuario2) not appear to export it:

                                                  2a22e48a-97fa-4dec-8cf1-a588955b0888-imagen.png

                                                  This occur even if I marck the option "Enforce strict security parameters" when renew the User Certificate.

                                                  The other User that appears (soporte) is a User that I had created in pfSense before update to pfSense 2.5.0, and I can renew without problems, It not shows the problem of SHA2 when renew the Certificate and It appears in "VPN > OpenVPN > Client Export" to export it. In case It helps you.

                                                  What can be the problem now?

                                                  Best regards

                                                  1 Reply Last reply Reply Quote 0
                                                  • jimp
                                                    jimp Rebel Alliance Developer Netgate last edited by

                                                    I can't reproduce that here at all, but I'm also on RC snapshots (2.5.1 RC / 21.02.2 RC). Might be something we already fixed since the release.

                                                    If I make a user cert from the user manager with SHA256, it gets SHA256. It shows for export. Renewal doesn't flag anything as needing changed. After renewal, it still shows for export.

                                                    R 1 Reply Last reply Reply Quote 0
                                                    • R
                                                      ramses.sevilla @jimp last edited by

                                                      @jimp hi,

                                                      I have update pfSense 2.4.5-p1 to pfSense 2.5.1RC and I have the same problem.

                                                      If I create the User Certificate (with SHA256):

                                                      0a1ef45c-5d83-49ab-8751-d1fe6cb61649-imagen.png

                                                      When I create the new user from User Manager, if I renew the User Certificate, It shows:

                                                      2bef7742-2c97-49bf-b7b8-60ed3b312470-imagen.png

                                                      And not appears in "VPN > OpenVPN > Client Export" to export.

                                                      If I renew a User that was already created in pfSense 2.4.5-p1, I haven't problem.

                                                      If I create a new User Certificate (SHA256) from Certificate Manager, when I renew the User Certificate, show that the certificate is SHA256 and I haven't problem. And If I edit the User that disappeared and associate this renewd certificate to the user, the User apppears again in "VPN > OpenVPN > Client Export" to export.

                                                      I don't undertand what happens...

                                                      Best regards

                                                      1 Reply Last reply Reply Quote 0
                                                      • jimp
                                                        jimp Rebel Alliance Developer Netgate last edited by

                                                        OK, that time I was able to reproduce it. It seems to be from creating the certificate while also creating the user, it doesn't happen when creating from the cert manager or when adding a new cert to an existing user.

                                                        Now that I can reproduce it I'll see if I can come up with a fix.

                                                        Thanks!

                                                        1 Reply Last reply Reply Quote 0
                                                        • jimp
                                                          jimp Rebel Alliance Developer Netgate last edited by

                                                          So there are two problems:

                                                          1. Creating the cert while creating the user doesn't respect the digest but it also doesn't set the type to 'user' properly: https://redmine.pfsense.org/issues/11705
                                                          2. When renewing, if the type is empty, it assumes server certificate, which is why it no longer is available in the export package: https://redmine.pfsense.org/issues/11706

                                                          We'll get fixes in for those soon.

                                                          1 Reply Last reply Reply Quote 0
                                                          • jimp
                                                            jimp Rebel Alliance Developer Netgate last edited by

                                                            Fixes are in for both now, will be in snapshots before too long (probably tomorrow or early next week, we have them disabled right now while some other work happens).

                                                            You can apply the relevant commits as patches in the meantime.

                                                            1. #11705 : 937dbcc1f51e7cd73fc07890f5941cf718c0c176
                                                            2. #11706: 4af6e7f6d13dc82a9d62fbf57b00eddd7a6bf2f9
                                                            R 2 Replies Last reply Reply Quote 1
                                                            • R
                                                              ramses.sevilla @jimp last edited by ramses.sevilla

                                                              @jimp Hi,

                                                              I have my test environment updated to pfSense 2.5.1.r.20210318.0300 version.

                                                              You told me that install these new patches to solve this new problems with the User Certificates.

                                                              1. #11705 : 937dbcc1f51e7cd73fc07890f5941cf718c0c176
                                                              2. #11706: 4af6e7f6d13dc82a9d62fbf57b00eddd7a6bf2f9

                                                              I have seen that there is pfSense 2.5.1.r.20210322.0300 new version.

                                                              Do you know if in this new version have included the patches what have you told me before?

                                                              Best regards

                                                              1 Reply Last reply Reply Quote 0
                                                              • R
                                                                ramses.sevilla @jimp last edited by

                                                                @jimp Hi,

                                                                Well, I have updated my test environment to pfSense 2.5.1.r.20210322.0300 version and It seems that both patches have been added because I have tried create the User Certificate when I create new users from User Manager and to renew the User Certificate afterwards from Certificate Manager and It show me that the User Certificate is SHA256 and It doesn't disappear from "VPN > OpenVPN > Client Export" to export.

                                                                I'm going to keep doing tests.

                                                                Best regards

                                                                1 Reply Last reply Reply Quote 0
                                                                • R
                                                                  ramses.sevilla last edited by

                                                                  Hi @jimp

                                                                  I have encountred another problem.

                                                                  I am doing these tests in pfSense 2.5.1.r.20210322.0300 version.

                                                                  When I export the OpenVPN User Configuration file from "VPN > OpenVPN > Client Export Utility > OpenVPN Clients > "USER" > Bundled Configurations > Archive" It generates a .zip file that contains three files:

                                                                  xxxxxx.ovpn file
                                                                  xxxxxx.p12 file
                                                                  xxxxxx.key file

                                                                  Are the xxxxxx.p12 file and the xxxxxx.key file the same that I can generate from "System > Certificate Manager > Certificates > "USER" > Export Key / Export P12"?

                                                                  I think that not are the same because this:

                                                                  • I have generated a .zip OpenVPN User Config file.

                                                                  • I have created a OpenVPN connection in a client with this file and works fine.

                                                                  • I have changed the date of the pfSense to a date after the expiration date of the certificates of the CA, the OpenVPN Server and the User.

                                                                  • I have changed the date of the Client to the same date of the pfSense.

                                                                  • Evidently, the VPN Connection in the Client doesn't work because the Certificates have expired.

                                                                  • I have renewed the certificates of the CA, the OpenVPN Server and the User.

                                                                  • I have exported the .p12 and the .key files from "System > Certificate Manager > Certificates > "USER" > Export Key / Export P12"

                                                                  • I have replaced the old .p12 file by the new .p12 file in the Client and the VPN Connection works well again.

                                                                  • Then, I have replaced the old .key file by the new .key file in the Client and the VPN Connection doesn't work, not connects.

                                                                  That is, if I replace only the .p12 file the VPN Connection works but if I replace both files the VPN Connection doesn't works.

                                                                  • I have exported a new OpenVPN User Configuration file with this new date from "VPN > OpenVPN > Client Export Utility > OpenVPN Clients > "USER" > Bundled Configurations > Archive".

                                                                  • I have create a new OpenVPN Connection in the Client with this file and works fine.

                                                                  • I have verified that the .key file that contains the .zip file and the .key file exported from Certification Manager have diferent sizes.

                                                                  • If I replace the .p12 and the .key files of the old VPN Connection with the .p12 and the .key files contained in the new .zip file, the VPN Connection connects without problems.

                                                                  Best regards

                                                                  1 Reply Last reply Reply Quote 0
                                                                  • First post
                                                                    Last post

                                                                  Products

                                                                  • Platform Overview
                                                                  • TNSR
                                                                  • pfSense
                                                                  • Appliances

                                                                  Services

                                                                  • Training
                                                                  • Professional Services

                                                                  Support

                                                                  • Subscription Plans
                                                                  • Contact Support
                                                                  • Product Lifecycle
                                                                  • Documentation

                                                                  News

                                                                  • Media Coverage
                                                                  • Press
                                                                  • Events

                                                                  Resources

                                                                  • Blog
                                                                  • FAQ
                                                                  • Find a Partner
                                                                  • Resource Library
                                                                  • Security Information

                                                                  Company

                                                                  • About Us
                                                                  • Careers
                                                                  • Partners
                                                                  • Contact Us
                                                                  • Legal
                                                                  Our Mission

                                                                  We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                                                  Subscribe to our Newsletter

                                                                  Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                                                  © 2021 Rubicon Communications, LLC | Privacy Policy