How do I renew this Certificate Athority

johnpoz

@LarryFahnoe said in How do I renew this Certificate Athority:

Why not use a publicly trusted cert?

Because its just another thing that could break for one.. And there is zero point to it.. Refreshing the cert does nothing.. Are you going to change something in the cert, like the key type or digest? Can't really do that with a refresh anyway.. This would be a new issue. Which using your own CA allows you to control when that happens easier vs having to renew something every 90 that has zero need to be renewed that often.

Just like I would never use acme for for road warrior vpn either.. There is zero point to it.. Since all the devices that would be connecting would be under my control.

Don't get me wrong acme is great, and use them myself for a couple of certs, but that is because there are clients outside of my control accessing them for sites I publish.

But for every other thing I just use my own CA and issue my own certs.. Like for the https on my nas, my switches, my unifi controller, my printer gui, my camera and nvr guis, etc. I can then add rfc1918 IPs as SAN, I can use whatever domain I want without it having to be public - using home.arpa currently.. And since they are issued by a private CA there is not 365 day limit.. I issue the certs for 10 years, and more than likely won't have to worry about redoing those certs until I replace the hardware, etc. A public CA and domain on those things make little sense because the only one accessing them is my or my devices that I control.

The access is local to my network, so the need of https is kind of pointless anyway - but browsers complain about accessing a web gui that is not https.. So I put a 10 year cert on them to shut the browser up ;)

LarryFahnoe

@johnpoz said in How do I renew this Certificate Athority:

Refreshing the cert does nothing

Perhaps I am incorrect, but I thought that each cert was unique & thus provided unique keying material for use in the remainder of the connection.

Your other commentary is appreciated and is consistent with my own typical desire to be able to be responsible for the rest of the tools in use. I have simply held off from running my own CA as each time I've looked into it, the strong suggestions are to keep the signing CA offline which represents more hassle than I felt was warranted by my usage. LE & acme seem to provide a level of service for all the certs I need.

It is just a puzzle to me that strongswan on pfsense only seems to work when the X1 cert is manually imported, which makes no sense since the same cert is already in the CA bundle used by pfsense.

--Larry

johnpoz

@LarryFahnoe said in How do I renew this Certificate Athority:

each cert was unique

Yeah its unique - you think someone is going to brute force generation of your cert so you should change it every 90 day? But the uniqueness of the cert doesn't matter - any cert can auth that has been signed by the CA..

strong suggestions are to keep the signing CA offline

Really - are you working for the DoD or something? Come on, if some compromised your pfsense.. Access to the CA is the least of your worries.. There is security, and then there is tin foil hat cutting off the blood to your brain..

Are you wanting to become a public CA? And compete with acme? How is their signing CA offline when you can get a cert in 30 seconds.. How is any public CA offline when they issue certs in a few minutes.. They have an intermediate signing CA, which sure you could do that if you want.. But I would just not wear the tinfoil hat that tight.. Did you catch that really don't even need a cert because the guis are on my local network - its to shut the browser up.. But now you want to take your CA offline?

But sure if you want create the CA, then take it offline - I mean how often are you creating a cert for setting up a tunnel? I wouldn't do that if you were creating road warrior certs ;) Again you live the intermediate signing CA online, and take the Root CA offline.. But again this seems a bit over the top to me..

I have no idea about what strongswan is wanting to see, but if the CA is the same signing CA doesn't matter where it came from be it in the OS or you added it.. But does pfsense even use the OS ca's for stuff like openvpn, or ipsec?

They are not presented to be chosen when you setup openvpn that is for sure - only the CAs listed in the cert manager auth are allowed to be picked from.

To that specific amce CA - I deleted that long time ago when they replaced it.. These are the only amce cas I have liste

LarryFahnoe

@johnpoz said in How do I renew this Certificate Athority:

There is security, and then there is tin foil hat cutting off the blood to your brain..

Fair enough John. I've been round the block enough times to feel comfortable with my approaches to security but can certainly appreciate your perspective. I've acknowledged that I'm not expert in this area & am just seeking to improve my understanding of the technology in use, specifically why I need to manually import the X1 cert when it is already present in the system...apparently some tools in pfsense use the OS CA bundle & some do not; seems like strongswan doesn't and openvpn (if that is what you're using) does. In the meantime, thanks to the GD, we can listen to the music play.

--Larry

darcey

@LarryFahnoe said in How do I renew this Certificate Athority:

apparently some tools in pfsense use the OS CA bundle & some do not

This caused me some confusion. Then it dawned on me the acme certificate management package doesn't interact with system CA bundle.
Thanks @LarryFahnoe and @johnpoz for the very helpful discussion.

johnpoz

@darcey If I were to guess, I would think packages like pfblocker or something that downloads lists from https urls would use the OSes trusted say to know those certs are valid.

Pfsense itself would CAs in its OS store for like checking for updates and stuff from pfsense.

But any packages or service that allows you to be specific for a CA or certs to auth with prob doesn't use the OS store and only stuff you have in the cert manager, like haproxy, openvpn, freerad server, etc.

johnpoz

@LarryFahnoe said in How do I renew this Certificate Athority:

thanks to the GD, we can listen to the music play.

You got that right ;) hahah - I think you might be the only person who as ever caught that quote, or at least commented on it!

If you let your hair grow a bit and let the stache get a bit longer you could maybe pass for Bobby with a quick glance btw ;)

LarryFahnoe

Well then, for those who're not catching John's reference: http://gdradio.net The music plays the band!

--Larry

johnpoz

@LarryFahnoe here is a link to just before the line ;)

Youtube Video – [03:20..]

Grateful Dead - Franklin's Tower - 10/31/1980 - Radio City Music Hall, New York, NY

Couple good zoom ins of Jerry playing tiger, and a few good Jerry smile though out..

LarryFahnoe

@johnpoz Yes indeed!!! Love to listen/watch the moments when they're picking the next song in the set...in this case a quick word between Jer & Bob, but then Jer's smile as the drummers take off, good stuff! These days I keep hearing Throwing Stones.

--Larry