Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Import CA from my UCS-Server

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 3 Posters 851 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      pixel24
      last edited by

      Hi@all,

      In order to use the users from my Univention server (UCS), I have to connect to its LDAP.

      For STARTTLS to work, I have to import the CA from the UCS. I have exported the CA on the UCS (ucs-root-ca.crt). How do I import this into pfSense?

      System -> Certificate Management -> CA -> Add

      Method: Import an existing certificate authority.

      I can look at the file 'ucs-root-ca.crt' on the computer -> Detail.

      The certificate has the following structure (I have removed the key). Which value is:

      (pfSense fields)

      • Certificate data
      • Private certificate key (optional)
      • Next Certificate Serial

      What data should I put here?

      Personal name
      C (country): DE
      ST (State): DE
      L (place): DE
      O (organisation): Example-Club
      OU (Organisational Unit): Univention Corporate Server
      CN (first name): Univention Corporate Server Root CA (ID=BDPAFPDP)
      EMAIL (e-mail address): ssl@lan.example.club
      Name of the publisher
      C (Country): DE
      ST (State): DE
      L (City): DE
      O (Organisation): example-Club
      OU (Organisational Unit): Univention Corporate Server
      CN (first name): Univention Corporate Server Root CA (ID=BDPAFPDP)
      EMAIL (e-mail address): ssl@lan.example.club
      Certificate of the issuer
      Version: 3
      Serial number:
      Not valid before: 2022-02-15
      Not valid after: 2027-02-14
      Certificate fingerprints
      SHA1:
      MD5:
      Public key information
      Key algorithm: RSA
      Key parameter: 05 00
      Key length: 2048
      SHA1 fingerprint of the key:	
      Public key:	
      Global constraints
      Certification Authority: Yes
      Maximum path length: Unlimited
      Critical: Yes
      Personal Key Identifier
      Key identifier:	
      Critical: No
      Extension
      Identifier: 2.5.29.35
      Value:
      Critical: No
      Key Usage
      Uses: Digital signature
      Critical: No
      Extension
      Bezeichner: 2.16.840.1.113730.1.1
      Value: 03 02 00 07
      Critical: No
      Alternative personal names
      E-mail: ssl@lan.example.club
      Critical: No
      Extension
      Identifier: 2.5.29.18
      Value:
      Critical: No
      Extension
      Bezeichner: 2.16.840.1.113730.1.13
      Value:
      Critical: No
      Signature
      Signatur-Algorithmus: 1.2.840.113549.1.1.11
      Signature parameter: 05 00
      Signature:
      

      with best
      pixel24

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG Offline
        Gertjan @pixel24
        last edited by

        First things first :

        @pixel24 said in Import CA from my UCS-Server:

        In order to use the users from my Univention server (UCS), I have to connect to its LDAP.
        For STARTTLS to work, I have ...

        Dono what UCS is. Is it a mail server ? You control that mail server ?
        STARTTLS is bit 'old school'.
        There are two choices : use port 587 without TLS - just plain 'text' for everything.
        What your really need, is TLS, use port 465 aka plain "smtps" directly.

        @pixel24 said in Import CA from my UCS-Server:

        I have to import the CA from the UCS. I have exported the CA on the UCS (ucs-root-ca.crt).

        The CA, and most probably also the derived certificate ( System > Certificate Manager > Certificates and then import )

        There, where your CA and Certifciate are stoed right now, export them.
        Most common is the PEM (so called X.509) format : a plain text file like :

        -----BEGIN CERTIFICATE-----
        MIIEejCCA2KgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBhTELMAkGA1UEBhMCRlIx
        CzAJBgNVBAgTAkxHMQ8wDQYDVQQHEwZDdXpvcm4xEDAOBgNVBAoTB015IENvbXAx
        .....
        KTRaTO1TFK6r0vBduzLKT6+67L1d94R7PhDmxlo+iHFAxGQZ+0j47kNreXd+cpPA
        31jwp8xl3G6sP5uzEgjDhpXsLJDWxA8+91hNB+SzRJIHO/KoUulIOW0yKDAzBg==
        -----END CERTIFICATE-----
        

        or you can use the "PKCS #12 (PFX)" format - a file with a p12 extension.

        The info you've listed is a human readable text list, non usable for export or import.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • stephenw10S Offline
          stephenw10 Netgate Administrator
          last edited by

          Yes, export the CA cert, not the key, as x.509 if you want to import it into pfSense.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.