How to add an imported ca's private key afterwards (edit: ca 2x in the config?)
-
Hi,
When I started to use pfsense in May, it was only possible to import a foreign ca's certificate, not its private key.
Since some time you added the option to also import the private key of a ca.Is it somehow possible to add the private key to a previously imported ca crt?
I was thinking of deleting this ca and reimporting it with its private key, but then the caref wouldn't be the same I guess and this would break my ipsec configuration which uses a certificate signed by that ca. Or am I wrong?When I look inside the config the certificates and private keys are encoded differently so I couldn't manually add it by copying and pasting.
Thank you very much for any help!
Max
-
I don't think I have a way to do that in the GUI. Didn't think it would be needed really.
You are right the caref would be different in that case. I may have to revisit the issue.
The 'encoding' is just a base64_encode() of the text in the input field.
So if you can go to Diagnostics > Command and do something like:
$foo = <<<eod<br>blahblahcertdatablah EOD; echo base64_encode($foo);</eod<br>
And then hack the result into the config in the proper place, that would work for now.
-
Wow, thanks jimp for the fast answer!
I will try that!
Thanks!
-
Hmm sorry I got another question about the config:
Why do the ca certificate and private key data exist 2 times in the config?
Also what about the serial tag regarding the ca?The internal ca certificate data have a serial of 25 at the first place in the config and a serial of 26 at the second (at the bottom of the file).
When I was to add that private key to the external ca, would I also need to add it 2 times and add a serial tag (which doesn't exist yet for this imported ca)?
Thank you!
-
It shouldn't exist twice in the config.
If you see it under <system>, that should have been removed when I relocated the certificate code out from under there. Those entries are no longer used and can be deleted.</system>
-
ok thanks, but what about the serial tag? Why is there a serial for the internal ca and none for the imported one?
-
Can I delete any <cert>tags under system or just the ca ones?</cert>
-
I'd have to trace back through the code again to remember that one. I think it was something of a revision tag, but you can probably add one safely as "1". It isn't a unique ID, that's the refid, so the serial isn't used for significant things like that.
You can delete any <ca>, <cert>, or <crl>tags under <system>.</system></crl></cert></ca>
-
This was stuck in my inbox, haunting me, but I finally managed to work up a fix.
https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/bfa992bc4eb8f8674f44b94e8617a032854356e9
You should be able to edit CAs and add private keys now.
-
Thank you jimp!
This is great! At least for me it's very useful since I have some imported CA's left from the time where you couldn't import priv.keys.
Also if you changed your mind and wanted to add the priv key later.. it's a great feature.Thank you!
-
Just remember when importing a CA to check what your highest certificate serial number is and set it in the GUI as appropriate, so you don't get certificates with overlapping serials. (It makes revoking them a PITA)
-
Thnx I'll watch out and try it out once I can upgrade the box.