Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    External CA

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    12 Posts 2 Posters 6.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fredriksimon
      last edited by

      Im trying to add a user cert from an external CA to a user. But its not working, that is the requirements on the certificate to add it to a user?

      /Fredrik

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Which part doesn't work?

        Does it give an error, or does the CA just not show up in the list?

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • F
          fredriksimon
          last edited by

          I have no internal CA so then Im trying to add a certificate to a user I get this message. "No internal Certificate Authorities have been defined. You must createย  an internal CA before creating an internal certificate."

          /Fredrik

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Hmm, I thought you could still make a user key in that case, but I'll need to run some tests to see what the problem might be there.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              Yeah the user key needs to be 'signed' by the CA, which requires its private key.

              What you really need is to make a CSR, which is then signed by the CA, and then import the resulting key into the user.

              Looks like we don't have a way in the GUI to make a CSR for a user cert though.

              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • F
                fredriksimon
                last edited by

                I already have a certificate for the user that I would like to use. But if the only way is to make a CSR I can.

                /Fredrik

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  Why do you need to import the user cert into the GUI?

                  I have a ticket open to add that, but it really doesn't gain you much of anything (besides the ability to use the client exporter)

                  Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • F
                    fredriksimon
                    last edited by

                    I want to run an OpenVPN server on my firewall with my external certificate and use the client exporter. I think there is some other problems to run a OpenVPN server with an external CA.

                    /Fredrik

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      The only thing holding you back from that scenario is that you can't use the exporter.

                      What "other problems" are you referring to with an external CA?

                      Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • F
                        fredriksimon
                        last edited by

                        Would like to use the client exportet, but here is no big problem to not use it.

                        One more thing regarding external user cert. I can and have imported the user cert in cert manager. So I want to bind that cert to a user.

                        I have done some more digging in the other problem, its the wizard thats not working. I select in the wizard that i want to use an existing external CA. But the wizard still creates a new internal CA for my openvpn server.

                        /Fredrik

                        1 Reply Last reply Reply Quote 0
                        • jimpJ
                          jimp Rebel Alliance Developer Netgate
                          last edited by

                          @fredriksimon:

                          One more thing regarding external user cert. I can and have imported the user cert in cert manager. So I want to bind that cert to a user.

                          You can't do that from there. (yet?) That isn't used for user certificates right now, though eventually I'd like to unify that so it can be managed from the same place in addition to doing it from the user manager.

                          @fredriksimon:

                          I have done some more digging in the other problem, its the wizard thats not working. I select in the wizard that i want to use an existing external CA. But the wizard still creates a new internal CA for my openvpn server.

                          I'll have to look into that. It's been a while since I worked on the wizard, I thought that was working last time I tested it.

                          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          1 Reply Last reply Reply Quote 0
                          • jimpJ
                            jimp Rebel Alliance Developer Netgate
                            last edited by

                            Selecting an existing CA (internal or external) should be OK now in the wizard. It won't be in the next snapshot, but it will be in the one after that.

                            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.