• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Missing "critical" value in Basic Constraints for RootCA generated by pfSense

Scheduled Pinned Locked Moved General pfSense Questions
9 Posts 3 Posters 3.0k Views 3 Watching
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M Offline
    mmege
    last edited by Nov 5, 2024, 2:52 PM

    Hi every one,

    I am using pfSense and its user-friendly web interface to generate and manage certificates.
    It appears that the CA certificates generated by the webapp does not contain the "critical" flag in its Basic Constraints part.

    I use these authorities to sign server certificates of my network inner services, and some of the client applications don't want to validate the cert chain due to this lack.

    Is it a deliberated choice or a bug in the script?

    1 Reply Last reply Reply Quote 0
    • S Offline
      stephenw10 Netgate Administrator
      last edited by Nov 5, 2024, 4:10 PM

      What error are you actually seeing when you try to import it?

      1 Reply Last reply Reply Quote 0
      • M Offline
        mmege
        last edited by mmege Nov 5, 2024, 6:30 PM Nov 5, 2024, 6:24 PM

        For example, I have a web server using a certificate signed by one of my CAs stored on pfSense web app. On another host, where the CA certificate file is installed in the trust store, a client application written in Python says, as soon as it tries to establish a TLS socket :

        certificate verify failed: Basic Constraints of CA cert not marked critical (_ssl.c:1020)
        

        Finally, I was able to establish the connection by creating, aside from the pfSense web app, with openssl command, an intermediate CA certificate by adding the "critical" flag in basic constraints:

        $ openssl x509 -text -noout -in intermediateCA-SOL-PROD-OPE.crt
        
        ...
                X509v3 extensions:
                    X509v3 Basic Constraints: critical
                        CA:TRUE, pathlen:0
        ...
        
        1 Reply Last reply Reply Quote 0
        • S Offline
          stephenw10 Netgate Administrator
          last edited by Nov 5, 2024, 6:35 PM

          Hmm, interesting. I see that too:

          Basic Constraints
          Certificate Authority:	Yes
          Max Path Length:	Unlimited
          Critical:	No
          

          However I've never seen an issue importing it. 🤔

          1 Reply Last reply Reply Quote 0
          • M Offline
            mmege
            last edited by mmege Nov 5, 2024, 6:44 PM Nov 5, 2024, 6:43 PM

            Actually, It does not really imply the import. I encounter this issue with applications or libraries, when they try to establish a TLS connection and when, under the wood, openssl try to validate the certificate chain with one of its trust store. And the trusted CA certificate is lacking this flag (i.e. Basic Constraints contains CA: TRUEbut not the criticalas it should according to the RFC 5280

            1 Reply Last reply Reply Quote 0
            • S Offline
              stephenw10 Netgate Administrator
              last edited by Nov 5, 2024, 6:48 PM

              Mmm, I see. Yes, I mean I've never seen an issue using the imported CA cert which implies it's not being verified or not correctly.

              J 1 Reply Last reply Nov 5, 2024, 7:40 PM Reply Quote 0
              • S Offline
                stephenw10 Netgate Administrator
                last edited by stephenw10 Nov 5, 2024, 7:10 PM Nov 5, 2024, 7:10 PM

                https://redmine.pfsense.org/issues/15818

                1 Reply Last reply Reply Quote 1
                • M Offline
                  mmege
                  last edited by Nov 5, 2024, 7:18 PM

                  Thank you very much @stephenw10 ! :)

                  1 Reply Last reply Reply Quote 2
                  • J Offline
                    johnpoz LAYER 8 Global Moderator @stephenw10
                    last edited by Nov 5, 2024, 7:40 PM

                    @stephenw10 yeah I have installed the CA on multiple computers, both windows and linux. iphones and android tablet and never ran into a issue.

                    But yeah if should be tagged critical, should be an easy fix.

                    @mmege Glad you found a simple work around with creating intermediate with openssl

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 25.07 | Lab VMs 2.8, 25.07

                    1 Reply Last reply Reply Quote 1
                    9 out of 9
                    • First post
                      9/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received