Certificate Manager - How to add nsCertType=SERVER extension to certificates?
I'm running psSense 2.0-BETA4 (i386) built on Mon Dec 20 20:21:46 EST 2010. Loving it so far!
I am setting up an OpenVPN server and I am using pfSense's Certificate Manager to create the certificates. I have created all of the necessary certificates and keys (e.g. ca, server, client) and configured the OpenVPN server on pfSense and an OpenVPN client on Windows XP.
When I set up the client configuration file, I used the sample client configuration file included with OpenVPN as a template. Then I changed certain settings as needed (e.g. remote server address).
Initially, I couldn't connect from the client. I tracked it down to this error in the OpenVPN log on the client side (confidential parts obfuscated with ###):
Fri Jan 07 09:46:13 2011 VERIFY nsCertType ERROR: /C=###/ST=###/L=###/O=###/emailAddress=###@###.com/CN=###, require nsCertType=SERVER
I was able to workaround the problem and successfully connect by commenting out (with a ';' character) the following line in the client configuration:
The comment above that setting recommends using the setting (i.e. not commenting it out) to prevent a possible man in the middle attack:
# Verify server certificate by checking # that the certicate has the nsCertType # field set to "server". This is an # important precaution to protect against # a potential attack discussed here: # http://openvpn.net/howto.html#mitm # # To use this feature, you will need to generate # your server certificates with the nsCertType # field set to "server". The build-key-server # script in the easy-rsa folder will do this.
For now, I'm okay with commenting out that setting. However, I would prefer if pfSense's Certificate Manager would give you the option of adding extensions to certificates (in this case, the extension nsCertType=SERVER) . As far as I know, there is no way to do it with the current web interface.
Question 1): Is there a way to add this extension by creating a certificate from the command line in pfSense? If easy-rsa were installed (don't think it is?) it would be simple. You would run the script build-key-server instead of build-key.
Question 2): Would it be possible to add this option to the Certificate Manager web interface?