Missing "critical" value in Basic Constraints for RootCA generated by pfSense

mmege · Nov 5, 2024, 2:52 PM

Hi every one,

I am using pfSense and its user-friendly web interface to generate and manage certificates.
It appears that the CA certificates generated by the webapp does not contain the "critical" flag in its Basic Constraints part.

I use these authorities to sign server certificates of my network inner services, and some of the client applications don't want to validate the cert chain due to this lack.

Is it a deliberated choice or a bug in the script?

stephenw10 · Nov 5, 2024, 4:10 PM

What error are you actually seeing when you try to import it?

mmege · Nov 5, 2024, 6:30 PM

For example, I have a web server using a certificate signed by one of my CAs stored on pfSense web app. On another host, where the CA certificate file is installed in the trust store, a client application written in Python says, as soon as it tries to establish a TLS socket :

certificate verify failed: Basic Constraints of CA cert not marked critical (_ssl.c:1020)

Finally, I was able to establish the connection by creating, aside from the pfSense web app, with openssl command, an intermediate CA certificate by adding the "critical" flag in basic constraints:

$ openssl x509 -text -noout -in intermediateCA-SOL-PROD-OPE.crt

...
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
...

stephenw10 · Nov 5, 2024, 6:35 PM

Hmm, interesting. I see that too:

Basic Constraints
Certificate Authority:	Yes
Max Path Length:	Unlimited
Critical:	No

However I've never seen an issue importing it.

mmege · Nov 5, 2024, 6:44 PM

Actually, It does not really imply the import. I encounter this issue with applications or libraries, when they try to establish a TLS connection and when, under the wood, openssl try to validate the certificate chain with one of its trust store. And the trusted CA certificate is lacking this flag (i.e. Basic Constraints contains CA: TRUEbut not the criticalas it should according to the RFC 5280

stephenw10 · Nov 5, 2024, 6:48 PM

Mmm, I see. Yes, I mean I've never seen an issue using the imported CA cert which implies it's not being verified or not correctly.

stephenw10 · Nov 5, 2024, 7:10 PM

https://redmine.pfsense.org/issues/15818

mmege · Nov 5, 2024, 7:18 PM

Thank you very much @stephenw10 ! :)

johnpoz · Nov 5, 2024, 7:40 PM

@stephenw10 yeah I have installed the CA on multiple computers, both windows and linux. iphones and android tablet and never ran into a issue.

But yeah if should be tagged critical, should be an easy fix.

@mmege Glad you found a simple work around with creating intermediate with openssl