Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Certificate Manager - How to add nsCertType=SERVER extension to certificates?

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    1 Posts 1 Posters 10.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cyboc
      last edited by

      Hi,

      I'm running psSense 2.0-BETA4  (i386) built on Mon Dec 20 20:21:46 EST 2010. Loving it so far!

      I am setting up an OpenVPN server and I am using pfSense's Certificate Manager to create the certificates. I have created all of the necessary certificates and keys (e.g. ca, server, client) and configured the OpenVPN server on pfSense and an OpenVPN client on Windows XP.

      When I set up the client configuration file, I used the sample client configuration file included with OpenVPN as a template. Then I changed certain settings as needed (e.g. remote server address).

      Initially, I couldn't connect from the client. I tracked it down to this error in the OpenVPN log on the client side (confidential parts obfuscated with ###):

      Fri Jan 07 09:46:13 2011 VERIFY nsCertType ERROR: /C=###/ST=###/L=###/O=###/emailAddress=###@###.com/CN=###, require nsCertType=SERVER
      

      I was able to workaround the problem and successfully connect by commenting out (with a ';' character) the following line in the client configuration:

      ns-cert-type server
      

      The comment above that setting recommends using the setting (i.e. not commenting it out) to prevent a possible man in the middle attack:

      # Verify server certificate by checking
      # that the certicate has the nsCertType
      # field set to "server".  This is an
      # important precaution to protect against
      # a potential attack discussed here:
      #  http://openvpn.net/howto.html#mitm
      #
      # To use this feature, you will need to generate
      # your server certificates with the nsCertType
      # field set to "server".  The build-key-server
      # script in the easy-rsa folder will do this.
      

      For now, I'm okay with commenting out that setting. However, I would prefer if pfSense's Certificate Manager would give you the option of adding extensions to certificates (in this case, the extension nsCertType=SERVER) . As far as I know, there is no way to do it with the current web interface.

      Question 1): Is there a way to add this extension by creating a certificate from the command line in pfSense? If easy-rsa were installed (don't think it is?) it would be simple. You would run the script build-key-server instead of build-key.

      Question 2): Would it be possible to add this option to the Certificate Manager web interface?

      Cheers

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.