Certificate Manager - How to add nsCertType=SERVER extension to certificates?

  • Hi,

    I'm running psSense 2.0-BETA4  (i386) built on Mon Dec 20 20:21:46 EST 2010. Loving it so far!

    I am setting up an OpenVPN server and I am using pfSense's Certificate Manager to create the certificates. I have created all of the necessary certificates and keys (e.g. ca, server, client) and configured the OpenVPN server on pfSense and an OpenVPN client on Windows XP.

    When I set up the client configuration file, I used the sample client configuration file included with OpenVPN as a template. Then I changed certain settings as needed (e.g. remote server address).

    Initially, I couldn't connect from the client. I tracked it down to this error in the OpenVPN log on the client side (confidential parts obfuscated with ###):

    Fri Jan 07 09:46:13 2011 VERIFY nsCertType ERROR: /C=###/ST=###/L=###/O=###/emailAddress=###@###.com/CN=###, require nsCertType=SERVER

    I was able to workaround the problem and successfully connect by commenting out (with a ';' character) the following line in the client configuration:

    ns-cert-type server

    The comment above that setting recommends using the setting (i.e. not commenting it out) to prevent a possible man in the middle attack:

    # Verify server certificate by checking
    # that the certicate has the nsCertType
    # field set to "server".  This is an
    # important precaution to protect against
    # a potential attack discussed here:
    #  http://openvpn.net/howto.html#mitm
    # To use this feature, you will need to generate
    # your server certificates with the nsCertType
    # field set to "server".  The build-key-server
    # script in the easy-rsa folder will do this.

    For now, I'm okay with commenting out that setting. However, I would prefer if pfSense's Certificate Manager would give you the option of adding extensions to certificates (in this case, the extension nsCertType=SERVER) . As far as I know, there is no way to do it with the current web interface.

    Question 1): Is there a way to add this extension by creating a certificate from the command line in pfSense? If easy-rsa were installed (don't think it is?) it would be simple. You would run the script build-key-server instead of build-key.

    Question 2): Would it be possible to add this option to the Certificate Manager web interface?


Log in to reply