Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense Certificate error with x509_strict

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 2 Posters 550 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      ewok2
      last edited by

      Hello
      I have creat a CA-My domain in Pfsense
      I have creat a server certificate

      When I chek the CA and certificate with openssl like this

      openssl verify -verbose  -CAfile /etc/ssl/certs/CA-MyDomain.local.crt /etc/ssl/certs/MyServer.crt
      

      I get a good result

      /etc/ssl/certs/MyServer.crt: OK
      

      But if I add the option "-x509_strict" it does not work

      openssl verify -verbose -x509_strict -CAfile /etc/ssl/certs/CA-MyDomain.local.crt /etc/ssl/certs/MyServer.crt
      

      I get an error

      CN = internal-ca, C = FR, ST = Country, L = City, O = "MyOrg ", OU = Home
      error 89 at 1 depth lookup: Basic Constraints of CA cert not marked critical
      error /etc/ssl/certs/MyServer.crt: verification failed
      

      Any idee of the problem ?

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @ewok2
        last edited by

        @ewok2 said in Pfsense Certificate error with x509_strict:

        Any idee of the problem ?

        Yeah "Basic Constraints of CA cert not marked critical" But I am not aware of setting such stuff in the gui.. If you need the cert and or ca to meet specific stuff like that, prob best to create with openssl directly..

        https://www.openssl.org/docs/man3.0/man1/openssl-verification-options.html

        This goes over what is checked with that x509 strict..

        If you need your CA to have stuff that gui does not allow for, you can always create the CA in openssl, and then import into pfsense Cert Manager for ease of signing certs..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • E
          ewok2
          last edited by

          Thanks for help
          In fact I have a error when trying to connect LAM (Ldap Acount Manager) with ldaps://
          I thought it was due to thi CA x509_strict error. but it was not the problem

          I can fom another vm connect in ldaps:// to my ldap...

          The strange thing is when creating CA + cert with openssl then testing the CA and cert with x509_strict I get the same answer...
          => so it is not a pfsense issue ;-)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.