Trouble chaining CAs when generating PFX
-
I have been using the Acme plugin for a few years without any issues. It generates a wildcard certificate that I am able to use on multiple servers. Recently though I ran into a problem though when trying to generate a signed PFX.
- Export the certificate and private key from System / Certificate Manager / Certificates.
- Download the intermediate and root CA certificates from System / Certificate Manager / CAs.
- Combine the intermediate and root CA certificate into a file.
type "Acmecert_+O=Let's+Encrypt,+CN=R3,+C=US.crt" "Acmecert_+O=Internet+Security+Research+Group,+CN=ISRG+Root+X1,+C=US.crt" > cachain.pem
- Generate PFX certificate:
openssl pkcs12 -export -in <certificate> -inkey <private key> -chain -CAfile cachain -passout pass:<password> -out <PFX file>
This produces an error:
Error loading file cachain.pemOpening the file, I notice that there is no new line between the two concated certificates:
-----END CERTIFICATE----------BEGIN CERTIFICATE-----
Can pfSense be improved to export certificates with a final line feed at the end?So I manually add one and re-save.
Re-running the above command has a new error:
Error unable to get issuer certificate getting chain.So I dumped each PEM certificate to follow the chain:
openssl x509 -in <PEM certificate> -noout -text
Leaf issuer:
Issuer: C = US, O = Let's Encrypt, CN = R3Intermediate:
Subject: C = US, O = Let's Encrypt, CN = R3
Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1Root:
Subject: C = US, O = Let's Encrypt, CN = R3
Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1The Subject and Issuer do not match, so this is not really the root.
Here are the reference certificates:
Apparently this "ISRG Root X1" is the certificate cross-signed by DST root CA X3.
This "ISRG Root X1" though is not contained in the CA list.
I think it would make more sense if the CA listed the self-signed ISRG Root X1.
PEM link:
TXT link:
Otherwise it should include the DST Root CA X3 self-signed certificate.My workaround for this is to manually download the CA certificates rather than use those listed in System / Certificate Manager / CAs.
curl -o lets-encrypt-r3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem curl -o isrgrootx1.pem https://letsencrypt.org/certs/isrgrootx1.pem
And then combine these for use in the certificate chain:
type lets-encrypt-r3.pem isrgrootx1.pem > cachain.pem
This also resolves the missing line feed between the certificates.