Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Trouble chaining CAs when generating PFX

    Scheduled Pinned Locked Moved ACME
    1 Posts 1 Posters 273 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dono
      last edited by dono

      I have been using the Acme plugin for a few years without any issues. It generates a wildcard certificate that I am able to use on multiple servers. Recently though I ran into a problem though when trying to generate a signed PFX.

      1. Export the certificate and private key from System / Certificate Manager / Certificates.
      2. Download the intermediate and root CA certificates from System / Certificate Manager / CAs.
      3. Combine the intermediate and root CA certificate into a file.
      type "Acmecert_+O=Let's+Encrypt,+CN=R3,+C=US.crt" "Acmecert_+O=Internet+Security+Research+Group,+CN=ISRG+Root+X1,+C=US.crt" > cachain.pem
      1. Generate PFX certificate:
      openssl pkcs12 -export -in <certificate> -inkey <private key> -chain -CAfile cachain -passout pass:<password> -out <PFX file>

      This produces an error:
      Error loading file cachain.pem

      Opening the file, I notice that there is no new line between the two concated certificates:
      -----END CERTIFICATE----------BEGIN CERTIFICATE-----
      Can pfSense be improved to export certificates with a final line feed at the end?

      So I manually add one and re-save.
      Re-running the above command has a new error:
      Error unable to get issuer certificate getting chain.

      So I dumped each PEM certificate to follow the chain:

      openssl x509 -in <PEM certificate> -noout -text

      Leaf issuer:
      Issuer: C = US, O = Let's Encrypt, CN = R3

      Intermediate:
      Subject: C = US, O = Let's Encrypt, CN = R3
      Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1

      Root:
      Subject: C = US, O = Let's Encrypt, CN = R3
      Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1

      The Subject and Issuer do not match, so this is not really the root.
      Here are the reference certificates:
      Apparently this "ISRG Root X1" is the certificate cross-signed by DST root CA X3.
      This "ISRG Root X1" though is not contained in the CA list.
      I think it would make more sense if the CA listed the self-signed ISRG Root X1.
      PEM link:
      TXT link:
      Otherwise it should include the DST Root CA X3 self-signed certificate.

      My workaround for this is to manually download the CA certificates rather than use those listed in System / Certificate Manager / CAs.

      curl -o lets-encrypt-r3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem
curl -o isrgrootx1.pem https://letsencrypt.org/certs/isrgrootx1.pem

      And then combine these for use in the certificate chain:

      type lets-encrypt-r3.pem isrgrootx1.pem > cachain.pem

      This also resolves the missing line feed between the certificates.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.