How to add an imported ca's private key afterwards (edit: ca 2x in the config?)

mxx

Hi,

When I started to use pfsense in May, it was only possible to import a foreign ca's certificate, not its private key.
Since some time you added the option to also import the private key of a ca.

Is it somehow possible to add the private key to a previously imported ca crt?
I was thinking of deleting this ca and reimporting it with its private key, but then the caref wouldn't be the same I guess and this would break my ipsec configuration which uses a certificate signed by that ca. Or am I wrong?

When I look inside the config the certificates and private keys are encoded differently so I couldn't manually add it by copying and pasting.

Thank you very much for any help!

Max

jimp

I don't think I have a way to do that in the GUI. Didn't think it would be needed really.

You are right the caref would be different in that case. I may have to revisit the issue.

The 'encoding' is just a base64_encode() of the text in the input field.

So if you can go to Diagnostics > Command and do something like:

$foo = <<<eod<br>blahblahcertdatablah
EOD;
echo base64_encode($foo);</eod<br>

And then hack the result into the config in the proper place, that would work for now.

mxx

Wow, thanks jimp for the fast answer!

I will try that!

Thanks!

mxx

Hmm sorry I got another question about the config:

Why do the ca certificate and private key data exist 2 times in the config?
Also what about the serial tag regarding the ca?

The internal ca certificate data have a serial of 25 at the first place in the config and a serial of 26 at the second (at the bottom of the file).

When I was to add that private key to the external ca, would I also need to add it 2 times and add a serial tag (which doesn't exist yet for this imported ca)?

Thank you!

jimp

It shouldn't exist twice in the config.

If you see it under <system>, that should have been removed when I relocated the certificate code out from under there. Those entries are no longer used and can be deleted.</system>

mxx

ok thanks, but what about the serial tag? Why is there a serial for the internal ca and none for the imported one?

mxx

Can I delete any <cert>tags under system or just the ca ones?</cert>

jimp

I'd have to trace back through the code again to remember that one. I think it was something of a revision tag, but you can probably add one safely as "1". It isn't a unique ID, that's the refid, so the serial isn't used for significant things like that.

You can delete any <ca>, <cert>, or <crl>tags under <system>.</system></crl></cert></ca>

jimp

This was stuck in my inbox, haunting me, but I finally managed to work up a fix.

https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/bfa992bc4eb8f8674f44b94e8617a032854356e9

You should be able to edit CAs and add private keys now.

mxx

Thank you jimp!
This is great! At least for me it's very useful since I have some imported CA's left from the time where you couldn't import priv.keys.
Also if you changed your mind and wanted to add the priv key later.. it's a great feature.

Thank you!

jimp

Just remember when importing a CA to check what your highest certificate serial number is and set it in the GUI as appropriate, so you don't get certificates with overlapping serials. (It makes revoking them a PITA)

mxx

Thnx I'll watch out and try it out once I can upgrade the box.