Unable to create internal certificate (CA not detected)
-
I've been trying and failing to create a new certificate for my pfSense system. I'm running 25.07.1 on a Netgate SG-3100. Either I'm completely missing something obvious, or there's a bug at play here.
First I've created a CA. I tried both with and without checking the box to add it to the system's trust store and also the box to use random numbers. I've also rebooted the machine after creating them, just to be extra sure. This is what they look like:
Yet, I'm unable to use them to create a new certificate. It just says "No internal Certificate Authorities have been defined. An internal CA must be defined in order to create an internal certificate. Create an internal CA." :
If anyone has any ideas on how to solve this, it would be much appreciated.
-
What pfSense version are you testing in?
-
@lindhe said in Unable to create internal certificate (CA not detected):
I'm running 25.07.1 on a Netgate SG-3100.
-
Doh!
-
Double Doh...
I'm using 25.07.1 as well (on a 4100) and I can create a CA by entering 'test' and hit the save button :
When creating a certificat, I can select/use it :
so not sure about what is going on.
-
Yup works for me too on a 3100. Must be something invalid about that CA. Dates out of range perhaps?
-
@stephenw10 said in Unable to create internal certificate (CA not detected):
Dates out of range perhaps?
Good suggestion. I tried 365 days instead of the default 3650 days for the CA, but same effect.
I love it when I find bugs that are unique to my setup.
-
Try this :
Make a backup of your config.
Delete all your CA. (edit : the ones you've added yourself. There may be other certs - see the image below, you've probably imported these don't delete these)
Then, as I've shown above : create a new CA. Name it like me : "test" do/add nothing else, and hit the Save button.
Now, create a certificat, and check if you can select the CA named "test".
edit :
-
The valid from and to dates are correct though? A CA that was, for some reason, no longer valid would be hidden.
You might try exporting the CA and examining it in a cert viewer to check for anything obviously wrong.
