How to add an imported ca's private key afterwards (edit: ca 2x in the config?)

  • Hi,

    When I started to use pfsense in May, it was only possible to import a foreign ca's certificate, not its private key.
    Since some time you added the option to also import the private key of a ca.

    Is it somehow possible to add the private key to a previously imported ca crt?
    I was thinking of deleting this ca and reimporting it with its private key, but then the caref wouldn't be the same I guess and this would break my ipsec configuration which uses a certificate signed by that ca. Or am I wrong?

    When I look inside the config the certificates and private keys are encoded differently so I couldn't manually add it by copying and pasting.

    Thank you very much for any help!


  • Rebel Alliance Developer Netgate

    I don't think I have a way to do that in the GUI. Didn't think it would be needed really.

    You are right the caref would be different in that case. I may have to revisit the issue.

    The 'encoding' is just a base64_encode() of the text in the input field.

    So if you can go to Diagnostics > Command and do something like:

    $foo = <<<eod<br>blahblahcertdatablah
    echo base64_encode($foo);</eod<br>

    And then hack the result into the config in the proper place, that would work for now.

  • Wow, thanks jimp for the fast answer!

    I will try that!


  • Hmm sorry I got another question about the config:

    Why do the ca certificate and private key data exist 2 times in the config?
    Also what about the serial tag regarding the ca?

    The internal ca certificate data have a serial of 25 at the first place in the config and a serial of 26 at the second (at the bottom of the file).

    When I was to add that private key to the external ca, would I also need to add it 2 times and add a serial tag (which doesn't exist yet for this imported ca)?

    Thank you!

  • Rebel Alliance Developer Netgate

    It shouldn't exist twice in the config.

    If you see it under <system>, that should have been removed when I relocated the certificate code out from under there. Those entries are no longer used and can be deleted.</system>

  • ok thanks, but what about the serial tag? Why is there a serial for the internal ca and none for the imported one?

  • Can I delete any <cert>tags under system or just the ca ones?</cert>

  • Rebel Alliance Developer Netgate

    I'd have to trace back through the code again to remember that one. I think it was something of a revision tag, but you can probably add one safely as "1". It isn't a unique ID, that's the refid, so the serial isn't used for significant things like that.

    You can delete any <ca>, <cert>, or <crl>tags under <system>.</system></crl></cert></ca>

  • Rebel Alliance Developer Netgate

    This was stuck in my inbox, haunting me, but I finally managed to work up a fix.

    You should be able to edit CAs and add private keys now.

  • Thank you jimp!
    This is great! At least for me it's very useful since I have some imported CA's left from the time where you couldn't import priv.keys.
    Also if you changed your mind and wanted to add the priv key later.. it's a great feature.

    Thank you!

  • Rebel Alliance Developer Netgate

    Just remember when importing a CA to check what your highest certificate serial number is and set it in the GUI as appropriate, so you don't get certificates with overlapping serials. (It makes revoking them a PITA)

  • Thnx I'll watch out and try it out once I can upgrade the box.

Log in to reply