Import CA from my UCS-Server
-
Hi@all,
In order to use the users from my Univention server (UCS), I have to connect to its LDAP.
For STARTTLS to work, I have to import the CA from the UCS. I have exported the CA on the UCS (ucs-root-ca.crt). How do I import this into pfSense?
System -> Certificate Management -> CA -> Add
Method: Import an existing certificate authority.
I can look at the file 'ucs-root-ca.crt' on the computer -> Detail.
The certificate has the following structure (I have removed the key). Which value is:
(pfSense fields)
- Certificate data
- Private certificate key (optional)
- Next Certificate Serial
What data should I put here?
Personal name C (country): DE ST (State): DE L (place): DE O (organisation): Example-Club OU (Organisational Unit): Univention Corporate Server CN (first name): Univention Corporate Server Root CA (ID=BDPAFPDP) EMAIL (e-mail address): ssl@lan.example.club Name of the publisher C (Country): DE ST (State): DE L (City): DE O (Organisation): example-Club OU (Organisational Unit): Univention Corporate Server CN (first name): Univention Corporate Server Root CA (ID=BDPAFPDP) EMAIL (e-mail address): ssl@lan.example.club Certificate of the issuer Version: 3 Serial number: Not valid before: 2022-02-15 Not valid after: 2027-02-14 Certificate fingerprints SHA1: MD5: Public key information Key algorithm: RSA Key parameter: 05 00 Key length: 2048 SHA1 fingerprint of the key: Public key: Global constraints Certification Authority: Yes Maximum path length: Unlimited Critical: Yes Personal Key Identifier Key identifier: Critical: No Extension Identifier: 2.5.29.35 Value: Critical: No Key Usage Uses: Digital signature Critical: No Extension Bezeichner: 2.16.840.1.113730.1.1 Value: 03 02 00 07 Critical: No Alternative personal names E-mail: ssl@lan.example.club Critical: No Extension Identifier: 2.5.29.18 Value: Critical: No Extension Bezeichner: 2.16.840.1.113730.1.13 Value: Critical: No Signature Signatur-Algorithmus: 1.2.840.113549.1.1.11 Signature parameter: 05 00 Signature:with best
pixel24 -
First things first :
@pixel24 said in Import CA from my UCS-Server:
In order to use the users from my Univention server (UCS), I have to connect to its LDAP.
For STARTTLS to work, I have ...Dono what UCS is. Is it a mail server ? You control that mail server ?
STARTTLS is bit 'old school'.
There are two choices : use port 587 without TLS - just plain 'text' for everything.
What your really need, is TLS, use port 465 aka plain "smtps" directly.@pixel24 said in Import CA from my UCS-Server:
I have to import the CA from the UCS. I have exported the CA on the UCS (ucs-root-ca.crt).
The CA, and most probably also the derived certificate ( System > Certificate Manager > Certificates and then import )
There, where your CA and Certifciate are stoed right now, export them.
Most common is the PEM (so called X.509) format : a plain text file like :-----BEGIN CERTIFICATE----- MIIEejCCA2KgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBhTELMAkGA1UEBhMCRlIx CzAJBgNVBAgTAkxHMQ8wDQYDVQQHEwZDdXpvcm4xEDAOBgNVBAoTB015IENvbXAx ..... KTRaTO1TFK6r0vBduzLKT6+67L1d94R7PhDmxlo+iHFAxGQZ+0j47kNreXd+cpPA 31jwp8xl3G6sP5uzEgjDhpXsLJDWxA8+91hNB+SzRJIHO/KoUulIOW0yKDAzBg== -----END CERTIFICATE-----or you can use the "PKCS #12 (PFX)" format - a file with a p12 extension.
The info you've listed is a human readable text list, non usable for export or import.
-
Yes, export the CA cert, not the key, as x.509 if you want to import it into pfSense.
