Possible bug in Cert manager



  • How to reproduce: Create Ca-Cert and Key on another Host. Use an organisation name with "&" like "My Company gmbH & Co. KG." :)

    Import this CA with key and try to generate a Client/Key- and Certificate and you get:

    The field 'Distinguished name Organization' contains invalid characters.
    


  • Yeah, I had discovered this last night when I was trying to create new certs on a customers site.  I found out it was attributed to the "." in the name.  I had used "MMJ Inc." (which had passed the setup on the CA page, yet didn't pass the Certificates page generation) and had to get rid of the "." to make pfsense use the certs.


  • Rebel Alliance Developer Netgate

    Last I knew that really was invalid. It's hard to find a definitive list on the web, but several places list the following as not valid in certificate parameters:

    < > ~ ! @ # $ % ^ / \ ( ) ? . , &
    

    If that is correct, then our validation code is right, and whatever you used to originally produce those was lacking proper standards-compliant validation.

    Though if you are on recent snapshots you can edit the field before making a certificate. Previously those fields were locked, and now they are no longer locked, just click in there and erase the bad character and then fill in whatever other info you want, and save.



  • I had done it from generating new certs from pfSense directly and had come to the same conclusion.  If I generated the CA (in pfSense) with a name of "MMJ Inc." it would pass the CA check, but not pass the Certificates page when it auto fills from the CA's information.  I would get an error when pfSense would try to generate the certificates.


  • Rebel Alliance Developer Netgate

    Was the CA made a long time ago? Looks like the input validation was tighened up back in June to where it should be.


Log in to reply