• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

default openssl.cnf file location used by Certificate Manager

Scheduled Pinned Locked Moved General pfSense Questions
7 Posts 2 Posters 1.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • N
    nagaraja
    last edited by nagaraja Mar 1, 2021, 4:23 PM Mar 1, 2021, 4:16 PM

    Hello guyz,

    i want to add some extension parameter for certificates rolled out by certificate manager on pf box.

    I think openssl is used to make this job done, find command got several files

    [21.02-RELEASE]root: find / -name "*.cnf"
/usr/local/openssl/openssl.cnf
/usr/local/share/pfSense/ssl/openssl.cnf
/etc/thoth/openssl.cnf
/etc/ssl/openssl.cnf

    Which file is the default one used by system?

    Thanks

    J 1 Reply Last reply Mar 1, 2021, 9:36 PM Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate @nagaraja
      last edited by Mar 1, 2021, 9:36 PM

      @nagaraja said in default openssl.cnf file location used by Certificate Manager:

      Which file is the default one used by system?

      For what purpose? For certificates, /usr/local/share/pfSense/ssl/openssl.cnf is the stock file from pfSense but it gets copied over /etc/ssl/openssl.cnf at boot time since most utilities pull it from there.

      If you want to make changes which must be in openssl.cnf for how the certificates get generated, edit /usr/local/share/pfSense/ssl/openssl.cnf and then copy it over /etc/ssl/openssl.cnf. That way they'll be active now and for future boots.

      But keep a copy of the stock file in case your edits need to be reversed.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      N 1 Reply Last reply Mar 2, 2021, 11:22 AM Reply Quote 0
      • N
        nagaraja @jimp
        last edited by Mar 2, 2021, 11:22 AM

        @jimp

        @jimp said in default openssl.cnf file location used by Certificate Manager:

        @nagaraja said in default openssl.cnf file location used by Certificate Manager:

        Which file is the default one used by system?

        For what purpose? For certificates, /usr/local/share/pfSense/ssl/openssl.cnf is the stock file from pfSense but it gets copied over /etc/ssl/openssl.cnf at boot time since most utilities pull it from there.

        If you want to make changes which must be in openssl.cnf for how the certificates get generated, edit /usr/local/share/pfSense/ssl/openssl.cnf and then copy it over /etc/ssl/openssl.cnf. That way they'll be active now and for future boots.

        But keep a copy of the stock file in case your edits need to be reversed.

        Hey @jimp , thanks for your answer.

        Since [ ca ] call [ CA_default ] and parameter x509_extensions = usr_cert

        i added to /usr/local/share/pfSense/ssl/openssl.cnf section [ usr_cert ]

        crlDistributionPoints           = URI:http://mycdp:8000/crl/distribpoint.crl

        In the end, i cp /usr/local/share/pfSense/ssl/openssl.cnf /etc/ssl/openssl.cnf

        I then created a CA then an Intermediate CA that issued a cert. So, i checked all three certs and i did not get any trace of my job.

        What's wrong here?

        N 1 Reply Last reply Mar 4, 2021, 9:32 AM Reply Quote 0
        • N
          nagaraja @nagaraja
          last edited by Mar 4, 2021, 9:32 AM

          @nagaraja

          Does anybody able to confirm this is a common behavior?

          I cannot believe i am the first one that wants to add an extension property on pfsense CA's cert

          J 1 Reply Last reply Mar 4, 2021, 9:25 PM Reply Quote 0
          • J
            jimp Rebel Alliance Developer Netgate @nagaraja
            last edited by Mar 4, 2021, 9:25 PM

            @nagaraja said in default openssl.cnf file location used by Certificate Manager:

            I cannot believe i am the first one that wants to add an extension property on pfsense CA's cert

            You may very well be -- it's not a supported process nor one that most people would expect the certificate manager on the firewall to handle.

            You probably want the v3_* sections not the ones you edited.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            N 1 Reply Last reply Mar 5, 2021, 3:02 PM Reply Quote 1
            • N
              nagaraja @jimp
              last edited by nagaraja Mar 5, 2021, 3:07 PM Mar 5, 2021, 3:02 PM

              @jimp

              @jimp said in default openssl.cnf file location used by Certificate Manager:

              @nagaraja said in default openssl.cnf file location used by Certificate Manager:

              I cannot believe i am the first one that wants to add an extension property on pfsense CA's cert

              You probably want the v3_* sections not the ones you edited.

              Yes, that perfecly worked. I used [ v3_ca ] and i was able to find the url reference both on CA and Intermediate cert's property. TYVM @jimp

              Just a consideration here: crlDistributionPoints should be expressed in a multiple values string because every CA generated, has the same url: in the view of CA/Sub hierarchy both crl lists should be served.

              You may very well be -- it's not a supported process nor one that most people would expect the certificate manager on the firewall to handle.

              Is that so strange? I had to install pfsense CA for webUI authentication and I am actually using acme for public cert generation, I have a script that securely share certs after renew.
              Why not, i can have everything on the same panel. Having pfsense Certs Manager as internal root ca since it is replicated by sync ha with a decent crl manager is a resource saver and It is ready there faster than any other implementation.
              Okay it's not the best in features without any automation but for a small environment to sign scripts or auth services seems to work fine (i already successfully tested it to autenticate web services or rdp client sessions with crl revocation checks)

              In terms of security, if pfsense CA can be used by OpenVPN, can be generally considered satisfying i believe.

              1 Reply Last reply Reply Quote 0
              • J
                jimp Rebel Alliance Developer Netgate
                last edited by Mar 5, 2021, 4:27 PM

                It's unusual because it's not intended for that role (yet, at least) -- adding functions which are useful outside of the firewall is out of scope, even if the cert manager is convenient to use.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                2 out of 7
                • First post
                  2/7
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received