• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Problems with Certificate Generation

Scheduled Pinned Locked Moved General pfSense Questions
6 Posts 3 Posters 1.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • G
    guardian Rebel Alliance
    last edited by guardian Aug 15, 2022, 2:51 AM Aug 15, 2022, 2:50 AM

    I am wondering if I an doing something wrong or if pfSense can't create certificates signed by a intermediate CA and include the complete chain of trust:

    I created an internal Certificate Authority with CN=MY_ROOT, I then created an intermediate Certificate Authority signed by MY_ROOT with cn=DUMMYINTERMEDIATE. I finished off by creating a server certificate signed by DUMMYINTERMEDIATE with cn=DUMMYSERVER. A listing of all three certificates is below.

    My concern is that if I were to export DUMMYSERVER and attempt to use it, I would have to include DUMMYINTERMEDIATE in the trust store for the browser and that MY_ROOT would be irrelevent.

    I thought one of the reasons for having an intermediate certificate is that you can store the root CA in the browser trust store, and than change the intermedicate CAs without having to replace the certificate in all the browsers.

    I am currently using pfSense 2.6.0-RELEASE.

    Am I missing something? Any insights would be much appreciated.

    openssl x509 -in DUMMYROOT.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1574392562938565745 (0x15d95db1caf85471)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = MY_ROOT
        Validity
            Not Before: Aug 14 06:13:08 2022 GMT
            Not After : Aug 11 06:13:08 2032 GMT
        Subject: CN = MY_ROOT
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:e2:9a:34:8c:53:f6:06:ae:73:0e:9a:a7:99:24:
                    09:cb:c2:71:79:4c:3c:65:48:17:88:c1:53:79:b3:
                    1c:1f:e5:9c:41:60:c6:b8:6a:e9:cf:45:15:15:b6:
                    91:05:fd:19:7f:44:aa:6c:1f:41:84:7f:bd:d1:84:
                    8f:33:cf:ff:4d:20:83:8c:bb:41:ab:71:34:03:a2:
                    e6:26:4f:53:32:80:90:3c:71:65:4a:a7:2f:24:63:
                    f5:16:ed:df:fd:e5:92:3f:77:8a:81:40:a6:06:fd:
                    1a:a4:44:4c:d2:c9:5a:e3:af:1c:fc:91:c3:08:52:
                    ed:8c:db:10:f5:3a:47:88:4c:a8:f6:70:eb:3a:d6:
                    1d:a0:f6:62:e4:52:a8:7a:5f:bd:5b:2f:46:3c:fc:
                    b5:c3:e4:af:e5:36:a4:45:83:31:79:e3:8a:0a:fb:
                    d9:4a:82:6d:3f:62:6c:72:2b:3f:85:fa:59:1d:78:
                    c2:57:91:f4:41:df:69:8d:8c:5e:44:32:cd:50:3a:
                    9b:d1:56:1f:74:2b:71:e5:b1:7a:e2:08:8f:f2:b0:
                    f8:0a:a1:96:68:c6:56:a6:45:b0:bd:62:86:49:02:
                    b4:b0:93:dc:50:89:cb:61:2c:13:9e:d7:29:35:8f:
                    fb:8f:3f:c8:0d:10:84:01:40:1e:11:e5:59:cf:8b:
                    c9:d5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                12:92:F0:DD:A3:D6:52:D4:F1:E6:71:14:08:06:91:58:5E:41:E6:E1
            X509v3 Authority Key Identifier: 
                keyid:12:92:F0:DD:A3:D6:52:D4:F1:E6:71:14:08:06:91:58:5E:41:E6:E1
                DirName:/CN=MY_ROOT
                serial:15:D9:5D:B1:CA:F8:54:71

            X509v3 Basic Constraints: 
                CA:TRUE
            X509v3 Key Usage: 
                Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
         6c:a3:b5:26:04:09:49:ff:68:98:81:0f:a5:a1:e1:3f:15:05:
         b2:6e:c2:ea:29:7c:4d:02:2b:45:01:eb:df:22:36:02:8b:d4:
         d1:eb:4d:ed:74:c1:3b:0a:dd:ec:8f:12:ee:f7:e7:d8:ba:43:
         ec:77:98:89:92:32:2c:29:39:e3:81:bb:30:58:0d:ea:4a:0e:
         41:3f:f1:a6:38:76:84:11:6f:7e:60:b5:11:46:54:50:19:0c:
         84:7a:ac:ee:f0:f3:96:22:9a:a6:b9:21:9b:36:ee:36:05:98:
         29:f8:95:c8:24:d0:ed:87:72:22:22:35:65:bf:30:c0:d7:a8:
         da:69:9d:8a:ea:dc:fd:5d:ea:d9:6e:3a:ab:42:bd:78:5a:c3:
         c1:e3:6c:84:a4:81:35:5e:f0:b5:d7:d6:71:e4:20:6a:6d:ed:
         a8:ca:08:3d:bc:2e:c1:1c:7a:d3:12:00:f6:5a:9c:9d:81:3e:
         34:36:74:41:02:39:5a:ed:ae:0f:16:f7:b2:01:66:6b:7c:57:
         b7:4d:ac:e0:d6:79:b6:76:4d:b3:a4:63:90:2c:7c:d2:37:13:
         b2:f7:4e:61:ef:72:62:25:7e:83:47:74:70:b2:e7:cd:b0:45:
         91:b3:ca:cc:53:8d:03:0f:dd:e3:90:5a:df:44:71:51:4a:41:
         26:12:50:5f

--------------------------------------------------------------------------------

openssl x509 -in DUMMYINTERMEDIATE.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = MY_ROOT
        Validity
            Not Before: Aug 14 06:15:51 2022 GMT
            Not After : Aug 11 06:15:51 2032 GMT
        Subject: CN = MY_INTERMEDIATE
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:bf:58:c6:62:e4:91:b7:bd:2b:50:7e:4c:fd:08:
                    8d:8c:f9:0c:c2:39:74:55:f3:10:b3:f8:2b:d2:77:
                    27:79:f4:b9:bb:ba:74:19:fd:07:f5:05:2a:4c:ad:
                    1c:a7:d4:fb:ed:68:5c:07:09:b8:47:f8:36:e4:67:
                    ec:49:4e:e9:70:43:e5:b3:10:92:b8:1f:3c:95:2d:
                    12:bd:a2:81:d1:1d:c6:9f:1f:62:b9:90:46:56:19:
                    36:54:e5:f4:79:56:ac:55:77:66:37:a9:2a:a9:e6:
                    5d:f8:42:17:40:85:bf:f1:ce:45:82:85:47:4b:f6:
                    35:7a:0e:01:55:4b:4d:ff:29:9a:59:fa:d8:57:39:
                    98:cc:44:66:8b:37:a5:16:db:4e:43:14:bb:0a:0f:
                    ef:f9:d4:2f:f7:1f:03:c4:47:ef:0d:93:81:9c:30:
                    30:d3:43:23:5b:66:12:c3:87:34:75:d8:e4:07:d7:
                    32:02:df:b6:77:4e:65:f5:30:bb:75:4e:a5:8a:0e:
                    3a:60:1f:03:5e:70:5e:8c:28:31:61:bd:1e:35:98:
                    d9:6e:90:e0:ce:af:1d:fa:b2:44:66:1c:ee:17:b5:
                    45:f1:6a:ce:28:84:ef:0b:5f:5e:3f:b3:70:10:13:
                    fd:51:7f:f0:a6:02:44:c8:e3:98:98:bf:31:85:f8:
                    6c:39
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                E0:9D:7B:62:7F:FD:17:8B:E3:7B:EB:1D:83:ED:98:FC:A0:8C:C4:2D
            X509v3 Authority Key Identifier: 
                keyid:12:92:F0:DD:A3:D6:52:D4:F1:E6:71:14:08:06:91:58:5E:41:E6:E1
                DirName:/CN=MY_ROOT
                serial:15:D9:5D:B1:CA:F8:54:71

            X509v3 Basic Constraints: 
                CA:TRUE
            X509v3 Key Usage: 
                Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
         b2:6d:47:9f:46:29:2f:32:89:70:ff:7f:df:3c:60:25:f5:c6:
         db:9e:b1:a6:a8:9a:05:4c:07:e0:bb:14:07:30:f7:a6:aa:f7:
         61:4f:ee:c9:3f:fc:fe:aa:f5:20:ab:75:c2:2a:e7:1b:6e:e8:
         c9:5d:8c:f5:f8:28:a5:82:bb:5d:01:9e:83:9c:2d:c6:c9:9d:
         34:d3:37:d6:1d:f3:06:84:c2:ba:ae:b7:4f:ad:31:9a:be:4c:
         ae:b7:5c:89:2e:3a:b2:a4:cb:09:b7:35:4a:be:0f:26:4a:9c:
         ca:59:75:ba:f8:69:75:14:c0:ab:41:1c:6d:0b:60:47:9b:a5:
         e9:47:53:d1:cf:27:ec:a1:d2:f8:e7:f8:d8:94:9b:01:44:4c:
         21:b0:39:22:72:0c:4b:1d:d1:3a:2f:0f:fb:7b:9d:64:31:b6:
         5d:f1:36:de:85:aa:a9:2f:47:80:eb:27:56:15:f5:37:df:b3:
         25:5f:d1:c6:f9:b6:7a:21:6a:5e:78:06:39:36:fa:a0:70:d4:
         7a:f9:6f:19:0e:fa:ed:27:1f:43:3f:63:58:c8:3d:71:18:4b:
         1d:76:3f:89:41:73:d5:04:d2:03:b4:e8:5c:f4:3d:ec:ea:b8:
         4c:40:2e:46:38:95:7a:b1:10:1b:8b:5e:8b:a6:41:bb:cb:6d:
         5c:e3:c5:1c
--------------------------------------------------------------------------------
openssl x509 -in MYDUMMYSERVER.crt -noout -text

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3 (0x3)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = MY_INTERMEDIATE
        Validity
            Not Before: Aug 14 17:07:58 2022 GMT
            Not After : Aug 14 17:07:58 2023 GMT
        Subject: CN = MYDUMMYSERVER
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:b5:5d:36:57:4c:e3:a1:1b:11:ea:44:bb:f8:ed:
                    bb:5e:86:ae:16:26:e0:df:33:66:da:0f:14:80:87:
                    d1:c1:b5:c8:29:67:32:76:6b:cf:b3:96:de:e9:8a:
                    81:fa:65:9f:60:ae:83:73:f4:6a:31:2a:60:73:33:
                    d7:64:18:2e:7d:18:dd:6b:65:9d:7c:a8:58:20:28:
                    af:44:b5:f5:76:b0:dd:13:da:65:19:0a:9b:2c:e2:
                    82:5a:b2:ab:46:78:8c:29:91:1c:85:c1:ce:71:81:
                    10:b7:c9:62:03:51:9d:84:57:c1:3c:f1:09:88:6e:
                    10:34:b3:47:ab:51:1c:f1:2c:05:bb:c3:27:b3:b6:
                    1b:82:f9:ff:2a:87:d3:f3:23:c1:b2:bb:bf:74:f6:
                    1c:4e:81:41:7b:31:83:fc:2b:79:34:99:48:c6:b6:
                    95:2b:92:d7:79:81:34:87:51:db:8e:ea:d5:1c:bd:
                    be:c2:ba:63:97:43:ae:9f:76:9e:b8:f2:fc:b8:0f:
                    9b:07:58:94:27:73:67:18:da:ad:b7:d7:84:81:f2:
                    fc:16:a2:e3:de:dd:04:33:65:d0:fb:df:ac:3d:49:
                    c4:d5:d4:e3:3e:a9:83:b6:5e:e0:79:7f:c7:f5:85:
                    1a:c5:f2:f3:8d:0a:f6:09:c6:b1:3d:d9:d6:2b:3d:
                    2a:b7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Server
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
            Netscape Comment: 
                OpenSSL Generated Server Certificate
            X509v3 Subject Key Identifier: 
                CB:EB:B5:8C:91:45:D5:DC:CD:82:D7:19:33:C9:1C:F0:6A:EE:82:66
            X509v3 Authority Key Identifier: 
                keyid:E0:9D:7B:62:7F:FD:17:8B:E3:7B:EB:1D:83:ED:98:FC:A0:8C:C4:2D
                DirName:/CN=MY_ROOT
                serial:01

            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication, 1.3.6.1.5.5.8.2.2
            X509v3 Subject Alternative Name: 
                DNS:MYDUMMYSERVER
    Signature Algorithm: sha256WithRSAEncryption
         90:fb:5e:ea:5b:77:b4:d8:1c:0e:8e:3e:9d:55:a1:86:f7:f0:
         aa:58:47:04:cb:7b:e6:b9:77:2d:d4:ef:73:4a:82:a9:9f:39:
         e5:8a:9c:55:f7:d6:46:82:b1:3a:32:d6:78:f7:78:57:41:08:
         64:8e:96:fc:e7:07:06:d4:8a:3e:ba:44:10:0d:7b:58:53:ad:
         38:30:50:74:f1:be:9d:5f:a5:66:74:76:bf:da:2d:29:cc:0c:
         5e:28:c1:48:8d:31:c7:33:0c:bf:3b:7d:7e:6a:92:1e:61:61:
         47:6c:9e:3c:e0:b1:13:6d:95:4f:e6:b2:0f:f8:35:f0:e7:91:
         19:5c:c5:7a:b5:17:af:43:89:2e:60:ad:96:df:00:94:aa:bd:
         b2:85:16:74:5a:c7:ae:c6:5e:27:29:40:83:17:82:17:e8:10:
         ec:b3:9a:33:52:b2:ce:b5:6f:69:ad:36:81:44:49:34:3b:77:
         f8:c3:ba:7a:d2:5a:55:da:42:30:54:2c:a4:1c:10:4f:4d:dc:
         d0:2f:2e:56:6d:4b:ef:8c:64:dc:59:0f:1c:b4:c8:bc:86:d6:
         f9:e1:d1:70:ef:c1:0f:a2:0b:f6:9b:86:7c:34:60:a2:f3:61:
         40:22:1a:ab:49:04:9f:80:16:34:9c:78:c9:60:55:a8:5f:d4:
         9b:05:d3:04

    If you find my post useful, please give it a thumbs up!
    pfSense 2.7.2-RELEASE

    S J 2 Replies Last reply Aug 15, 2022, 7:36 PM Reply Quote 0
    • S
      stephenw10 Netgate Administrator @guardian
      last edited by Aug 15, 2022, 7:36 PM

      @guardian said in Problems with Certificate Generation:

      My concern is that if I were to export DUMMYSERVER and attempt to use it, I would have to include DUMMYINTERMEDIATE in the trust store for the browser and that MY_ROOT would be irrelevent.

      Did you actually test this? And it failed?

      1 Reply Last reply Reply Quote 0
      • J
        johnpoz LAYER 8 Global Moderator @guardian
        last edited by johnpoz Aug 15, 2022, 10:21 PM Aug 15, 2022, 10:02 PM

        @guardian ok if I understand what your asking I just tested this and works just fine.

        so I have a CA on pfsense home-ca, I then created an intermediate CA signed by home-ca

        int.jpg

        My browser trusts home-ca (installed by me in browser by hand long time ago). I have many certs issued by this ca for internal stuff. Switch, Printer, Unifi Controller, etc.. No intermediate-ca was install on my browser or my OS by me.

        I then issed a cert for test.local.lan with the intermediate-ca.

        I installed this cert on a site, along with the intermediate-ca and the site is trusted by my browser.

        cert.jpg

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 1
        • G
          guardian Rebel Alliance
          last edited by Aug 17, 2022, 10:18 AM

          Thanks @johnpoz for the swift reply. Maybe I don't understand how the certs need to be deployed.

          Is it normal practice to install the intermediate CA along with the server certificate on the server?

          I was under the impression that a certificate bundle should include the complete "chain of trust" and that the intermediate CA should be part of the server certificate. Is my understanding wrong? Or do I need to generate that bundled cert a different way?

          @stephenw10, I didn't actually test THESE certs, but I recreated the steps I followed in this example as an illustration to explain my situation. I did not want to post real production data for obvious reasons.

          My deployment attempt was to TrueNAS, and when I first attempted to deploy my Server Cert, I was getting an error that the Intermediate Certificate was not trusted. I'm using the same root/intermediate certs that I use with my OpenVPN setup. The cert I created for TrueNAS followed the same general steps as I illustrated in this post. The end result was that I got a message that the Intermediate Certificate Authority was unknown/was not trusted. If I installed the ICA on my browser, then the connection worked.

          I was expecting to see the entire chain of trust when displaying the certificate.

          Admittedly this is out of scope for this forum (and the pfSense question would be out of scope in the TrueNAS forum), but could someone give me a hint as to how I would deploy these certificates to TrueNAS and have them accepted by my browser (assuming that I installed the rootCA on the browser)?

          If you find my post useful, please give it a thumbs up!
          pfSense 2.7.2-RELEASE

          J 1 Reply Last reply Aug 17, 2022, 11:00 AM Reply Quote 0
          • J
            johnpoz LAYER 8 Global Moderator @guardian
            last edited by Aug 17, 2022, 11:00 AM

            @guardian said in Problems with Certificate Generation:

            Is it normal practice to install the intermediate CA along with the server certificate on the server?

            Its normal practice to install the full chain.. But if the CA is public trusted then you don't - the server will hand out the intermediate CA to the client, who since he trusts that signing CA of that intermediate will trust it.

            There is nothing wrong with the CA manager in pfsense.

            I was expecting to see the entire chain of trust when displaying the certificate.

            You did - see the cert info I show for the cert in my browser - shows the full chain.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            G 1 Reply Last reply Aug 17, 2022, 4:29 PM Reply Quote 0
            • G
              guardian Rebel Alliance @johnpoz
              last edited by Aug 17, 2022, 4:29 PM

              @johnpoz said in Problems with Certificate Generation:

              @guardian said in Problems with Certificate Generation:

              Is it normal practice to install the intermediate CA along with the server certificate on the server?

              Its normal practice to install the full chain.. But if the CA is public trusted then you don't - the server will hand out the intermediate CA to the client, who since he trusts that signing CA of that intermediate will trust it.

              OK, so that is clearly what I have been missing. I need to find out how to install the chain in TrueNAS. There appears to be a Certificate Authority Section which is similar to the one in pfSense. Maybe if I just import them there things might work.

              @johnpoz said in Problems with Certificate Generation:

              There is nothing wrong with the CA manager in pfsense.
              @guardian said in Problems with Certificate Generation:

              I was expecting to see the entire chain of trust when displaying the certificate.

              You did - see the cert info I show for the cert in my browser - shows the full chain.

              Yes, I saw that.... it's how that chain got generated that I didn't understand. IIUC the server is assembling the trust bundle on demand from the component parts, not from a prebuilt certificate bundle.

              If you find my post useful, please give it a thumbs up!
              pfSense 2.7.2-RELEASE

              1 Reply Last reply Reply Quote 0
              1 out of 6
              • First post
                1/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received