Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Restore certs and users from backup

    Scheduled Pinned Locked Moved General pfSense Questions
    11 Posts 5 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sgw
      last edited by

      Last week a SG-1000 died at a customer.
      I have a valid xml backup, and tried to import it to a fresh installation on a SG-1100.

      I had to start over a few times to get the interfaces assignment right, and (it had to happen fast) decided to configure the interfaces manually. So I have no certs imported right now and no users. The OpenVPN server config is there ...

      In "Restore" there are no choices like "Certificates" or "Users". (how) can I import the certs and users only, without importing "All"? Right now I am remote and shouldn't lose connectivity ;-)

      I have full ssh and https access, just as information. Basically I only miss the ovpn-server-certificate and users. I could recreate but then I would have to deploy a new package for the vpn-users.

      thanks

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @sgw
        last edited by

        @sgw

        Backup up config.xml files are meant to restore on the same (and you might pull of also the "identical" device like a 1100 to a new 1100)

        Any other (new) hardware - like NIC or the presence of a build in switch like the 1100 : that's an official no-go.
        Like backing up the Windows Regsitry from one PC, and then import it on another (not 100 % identical) PC : things will go bad.

        Now for the good news :
        Download a good editor : here.
        Use it to open the config.xml file.
        See that it is a quiet good readable XML file.

        First things first : users on a pfSense ? There is the admin .... and who else ? Why ?
        If you have a captive portal with many pre setup user account for the portal, I get it, because I have them also ( using pfSense for a hotel and I'm using the captive portal )

        Keep in mind that this kind of works needs some preparation, and you need to be on site. Like : prepare the device there where you are, and then you send it off to the site where it should be used.
        VPN is nice for everything, and "light" admin work on pfSense.
        IMHO, I'll never use it finalize the pfSense setup itself.

        Users and certs can have a relation between them. Like OpenVPN : certs used for a user are linked to the OpenVPN certificate used, and the CA used upfront.
        Offering users the possibility to import users only, will also (have to) import related certs. This will get messy very fast.

        I never did this myself, but : you could copy the entire <users> </users> block, and the <c> </ca> and <certs> </certs> block, and try it out.
        Prepare yourself for some test and fail sequences.

        I have been in your situation a couple of month before when I went from a home build old PC pfSense firewall to a SG-4100.
        I thought I would make happen it like this :
        On the new 4100, I created my WAN LAN OPT1 etc, identical to my 2.6.0 setup..
        I exported the config.xml (4100) and compared it with mine, the old 2.6.0 config.xml, and replaced the <interfaces> block in the 4100 file with the block I found in the 2.6.0 file.
        That was ... a no go.
        I finally decided to build the thing upfront ground, using the 2.6.0 file as a reference.

        You can create a new openVPN server CA, create a new OpenVPN certificate, and a per user OpenVPN client certificate, export those, set up the OpenVPN to use the new cert and done.
        Other certificates, like for FreeRadius can be re created and then assigned to FreeRadius.
        acme certs can be re generated with a click.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        S 1 Reply Last reply Reply Quote 0
        • S
          sgw @Gertjan
          last edited by

          @gertjan thanks

          Yes, I also assume that I could edit the xml and only import the relevant part.
          The trial-and-error approach isn't exactly what I am looking for ;-)

          Basically I only need the server-cert for the OpenVPN server instance, and maybe 3 users with their certs, to make their vpn-tunnels work again.

          GertjanG J 2 Replies Last reply Reply Quote 0
          • GertjanG
            Gertjan @sgw
            last edited by

            @sgw
            If you have access right now, not using OpenVPN, then go click for a new CA (name it openVPN-server-CA) and a certificate (name it OpenVPN-server).
            Finish the pfSense openvpn-server setup.
            Now create the 3 "openvpn" users, each with their own cert.
            Export them, and test one - as you can see openvpn logs locally and remote.

            Plain https access comes in handy ones in a while ;)

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • jimpJ jimp moved this topic from Problems Installing or Upgrading pfSense Software on
            • J
              Jarhead @sgw
              last edited by

              @sgw said in Restore certs and users from backup:

              @gertjan thanks

              Yes, I also assume that I could edit the xml and only import the relevant part.
              The trial-and-error approach isn't exactly what I am looking for ;-)

              Basically I only need the server-cert for the OpenVPN server instance, and maybe 3 users with their certs, to make their vpn-tunnels work again.

              The certs can be converted from the old config and then added as "import existing cert" in cert manager.
              The users, probably easiest to just manually add them then assign the certs to them.

              Go here:
              https://www.opinionatedgeek.com/codecs/base64encoder

              Paste the text from the config for each cert and key, one at a time, and convert them. Then import.

              1 Reply Last reply Reply Quote 0
              • bingo600B
                bingo600
                last edited by bingo600

                I would prob. rather break an arm than use a Webpage to convert my private cert key...

                M$ ...
                https://dmfrsecurity.com/2017/01/07/windows-base64-encoding-and-decoding-using-certutil/

                https://stackoverflow.com/questions/65577255/encode-to-base64-a-specific-file-by-windows-command-line

                Linux

                cat <file_name> | base64
                

                But wouldn't a decoder be needed ???
                Isn't the cert stored base64 encoded in the XML ?

                /Bingo

                If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                pfSense+ 23.05.1 (ZFS)

                QOTOM-Q355G4 Quad Lan.
                CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                J 1 Reply Last reply Reply Quote 0
                • J
                  Jarhead @bingo600
                  last edited by

                  @bingo600 said in Restore certs and users from backup:

                  I would prob. rather break an arm than use a Webpage to convert my private cert key...

                  How would the site know what your using it for??

                  bingo600B 1 Reply Last reply Reply Quote 0
                  • bingo600B
                    bingo600 @Jarhead
                    last edited by

                    @jarhead said in Restore certs and users from backup:

                    How would the site know what your using it for??

                    Have you ever looked at the info embedded in a certificate ??

                    /Bingo

                    If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                    pfSense+ 23.05.1 (ZFS)

                    QOTOM-Q355G4 Quad Lan.
                    CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                    LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                    J 1 Reply Last reply Reply Quote 0
                    • J
                      Jarhead @bingo600
                      last edited by

                      @bingo600 said in Restore certs and users from backup:

                      @jarhead said in Restore certs and users from backup:

                      How would the site know what your using it for??

                      Have you ever looked at the info embedded in a certificate ??

                      /Bingo

                      Yes. And?

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        If you open a ticket with us we can convert your original config so it will import into the 1100 directly. Complete with all the users and certs.
                        https://www.netgate.com/tac-support-request

                        Steve

                        S 1 Reply Last reply Reply Quote 0
                        • S
                          sgw @stephenw10
                          last edited by

                          @stephenw10 great, thanks!
                          I will consider doing so.

                          But you know what? The one employee using OpenVPN told me an hour ago that she doesn't even use it anymore! So I might not even need that setup anymore.

                          For my own administrative purposes I can simply start from scratch or even use Wireguard instead.

                          Thanks all for the feedback and help!

                          1 Reply Last reply Reply Quote 1
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.