Certificate error
-
@Antibiotic said in Certificate error:
I import CA client cert
There is no 'CA client cert' there is just the CA cert. This:
-
Creafed 2 cert for server and client and put to windows trust
store HomeCA -
You exported the HomeCA cert from pfSense and imported it into Windows?
-
@Antibiotic hey there,
to get rid of that warning, this works for me (and should in general):
go to your own CA in pfsense, export its cert (second from the left symbol), save it in your downloads directory...(or as needed)
Then open your firefox browser: go to settings > security > certificates here press show certificates.
Then go to tab certificate authorities, here press import. Import your saved CA cert. Close browser.
Start browser, go to your pfsense gui. If everything is done correctly the warning should be gone. Instead the lock symbol is showing a safe connection, moving the cursor on it should show something like "certified by YOUR CA NAME".
Delete that CA cert from your pc. Your browser should now know (and trust) pfsense's webserver cert, since it knows the CA (imported certificate)... -
@stephenw10 yes
-
@Antibiotic here is walk through I did back in 2019
-
@johnpoz Thanks, this guide work for me as well)))
-
@Antibiotic glad you got it sorted.. The only bad thing is browsers now complain about long life certs.. I think something like 398 days or something max..
Use to be able to create a cert good for 10 years, and have no worries most likely for the life of the equipment you were using it on.. Now you have to renew it every year or so..
Now that you have a CA your browser trusts you can sign certs with if for all your devices that use a webgui.. So you can get your browser to stop complaining for stuff like switches, printers, other software.. My nas and unifi controllers webguis all use certs signed by my home CA..
Since your using your own CA you can create certs for any domain you want to use, home.arpa for example - or the new .internal that also intended for local use. You can add rfc1918 IPs in you the SAN so that even when you access via IP vs fqdn your browser won't complain.
Sure ACME has been a game changer for Certs.. And is great for something that a browser you do not control will be accessing. I use them for services I expose to the public. But 90 day renew kind of pain, even if can be automated. But you have to use a public domain, which can be problematic to use internally to be honest, you can not add rfc1918 IPs.. For the admin guis of stuff you admin, with your devices - use of your own CA is better option imho..
-
@johnpoz said in Certificate error:
complain about long life certs
I use edge and don't have any complains about that 10 years cert, do not see any warnings)))
-
@Antibiotic said in Certificate error:
I use edge and don't have any complains about that 10 years cert, do not see any warnings))
Microsoft can't publish more then one 'bad news' a day.
The update that will make Edge bark over "10 year certs" is probably already queued. -
@Antibiotic all the other browsers have implemented the like 1 year limit.. But seems from a quick google msedge finally got something right ;) If the CA is private, then the limit is not enforced..
oh - another quick google, and wow - seems they all do not enforce limits for private CAs.. Sweet!! When I had moved over to home.arpa and changed my certs I set them to 1 year.. When comes time to renew, back to 10 years for me ;)
See helping people you can learn something new yourself - thanks!!
-
@johnpoz Fine)))
-
-
@Antibiotic I forked that question to a new thread..
https://forum.netgate.com/topic/187866/ns8250-uart-fcr-is-broken-duirng-boot-os
-
@johnpoz Ok. thanks
-
@johnpoz I read about that every now and then too...
BUT: here it is working with a cert lifetime of 10 years with chromium and firefox (both up to date) without any complaints... -
@the-other yeah I saw the headlines about the changes, etc but never really dove into the details.. Just figured it was all certs, and assumed my old certs were just grandfathered in - because I recall reading it was for certs issued after a specific date.
So when I redid mine to move to home.arpa I just made them for 1 year.. What I get for not reading the small print ;)
-
Mmm, I'm pretty sure it does apply to server certs. We had to change the default values for the gui and openvpn wizrad etc. But the CA cert can still be much longer.
-
@johnpoz Hello can me use pfSesne system/patches to apply this patch or its only for pfsesne inside system? I mean over this can implement any pacth to system or only from redmine.pfsense.org?
https://cgit.freebsd.org/src/commit/?id=c4b68e7e53bb352be3fa16995b99764c03097e66 -
Create a CA Root with 10 year lifetime. Then create another CA cert and have it signed by CA Root. And finally create your normal certs and have it signed by the previous CA cert. This is how chain of certificates work.
The reason for the chain is part of how you revoke the certs. So for example if you revoke the server cert you just recreate the new server cert and have it signed by previous CA cert which is also signed by CA Root.
Just import your CA root into your browser and trust it. From then on any certs signed by CA root will automatically be trusted.
CA Root << Primary root cert
CA cert << intermediate cert signed by CA Root
CA cert signed by intermediate cert which you use for servers such as HAproxy and webGUI.You should have three working certs.
Hope this helps.
-
@Antibiotic said in Certificate error:
@johnpoz Hello can me use pfSesne system/patches to apply this patch or its only for pfsesne inside system? I mean over this can implement any pacth to system or only from redmine.pfsense.org?
https://cgit.freebsd.org/src/commit/?id=c4b68e7e53bb352be3fa16995b99764c03097e66The System patches package only looks for pfSense commits if you try to create a patch by commit ID. You can of course import a diff file or copy/paste the diff in directly. However you can't do it with that patch because it's a compiled driver, that's the source code. You can on;y patch run time scripts in pfSense dircetly.
You should start a new thread for anything that isn't certificate related. It's very difficult to follow your questions when you keep changing topics part way through a thread.
Steve