Certificate 'private key data' not optional anymore ?



  • Hello, i'm trying to setup strongvpn, but with the private key data not included in their config, i wonder if pfsense should set this 'option' as optional.

    Am i crazy or this make sense ?



  • What did they give you? I thought they started handing out inline configurations just a few weeks ago, where the certificate and key are included in the *.ovpn file.



  • they don't include a key for the /system_certmanager.php

    only for the /system_camanager.php


  • Rebel Alliance Developer Netgate

    you probably have those backwards. It's highly unlikely they gave you a CA key.



  • @jimp:

    you probably have those backwards. It's highly unlikely they gave you a CA key.

    Yeah, they have to give you your certificate's key (or a .p12 file you can split), but they should never give you the CA key (that would give you the ability to generate certificates valid on their servers).



  • this is what they gave me in their config:

    <ca>–---BEGIN CERTIFICATE-----
    MIIDkzCCAvygAwIBAgIJALdoA3BAcCvfMA0GCSqGSIb3DQEBBQUAMIGOMQswCQYD
    VQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNhbi1GcmFuY2lzY28xHDAa
    BgNVBAoTE3JlbGlhYmxlaG9zdGluZy5jb20xEDAOBgNVBAMTB292cG4xOTQxKjAo
    BgkqhkiG9w0BCQEWG3RlY2h12345cmVsaWFibGVob3N0aW5nLmNvbTAeFw0xMjAz
    MjgxOTE5MDFaFw0yMjAzMjYxOTE5MDFaMIGOMQswCQYDVQQGEwJVUzELMAkGA1UE
    CBMCQ0ExFjAUBgNVBAcTDVNhbi1GcmFuY2lzY28xHDAaBgNVBAoTE3JlbGlhYmxl
    aG9zdGluZy5jb20xEDAOBgNVBAMTB292cG4xOTQxKjAoBgkqhkiG9w0BCQEWG3Rl
    Y2hpZXNAcmVsaWFibGVob3N0aW5nLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
    gYkCgYEAvQwYhy8123452WhmanW1cDTtVXqQ6GaCgApfRjKy95qceWxl8vqXAkVF
    uej/vMxkPt7eT7MxJG+eaN8SUMBImAcq2/V2ejRQ4e6Sf42To/y9Fz4D1wHv+vk5
    kajByHRYNMVKy2hWTZzHKG18w9qPod0iPFkhg+AgSgKs7lPD6yUCAwEAAaOB9jCB
    8zAdBgNVHQ4EFgQUiv2CSblVfRTqJg764c0ErV+s580wgcMGA1UdIwSBuzCBuIAU
    iv2CSblVfRTqJg764c0ErV+s582hgZSkgZEwgY4xCzAJBgNVBAYTAlVTMQswCQYD
    VQQIEwJDQTEWMBQGA1UEBxMNU2FuLUZyYW5jaXNjbzEcMBoGA1UEChMTcmVsaWFi
    bGVob3N0aW5nLmNvbTEQMA4GA1UEAxMHb3Z12345NDEqMCgGCSqGSIb3DQEJARYb
    dGVjaGllc0ByZWxpYWJsZWhvc3RpbmcuY29tggkAt2gDcEBwK98wDAYDVR0TBAUw
    AwEB/zANBgkqhkiG9w0BAQUFAAOBgQBxPEG8XQz0X+gG1BjUkzkGkai8vcfwPEQq
    PMzbd3KVNUqpokJtDv5DxiBP+DM5aip/4PaiqbAVyifb7XZ8zDkxtDrsa3qfi4Vc
    8DErOZq/j/CuoGwXMchl0h8gpr77Zq3R4uXq+EFv20si76ClIykzXRhGIkICS1mb
    2hACWeCtDA==
    -----END CERTIFICATE-----</ca>
    <key>-----BEGIN PRIVATE KEY-----
    MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBANw4LlnFoYrKCpq3
    zwfXAanc+Sfs0sUskk3qWofiDb3KMS/yLPg7NSfUZiaD/CAmVKC2XC6QViuLL0T9
    QsXFF1NTzghqdqDgiQtNt2z/MbFsezlVLpSg0XJVMa12345PSgOI7qaEqPt14ONm
    35VQbSiJWGnz29m3lJJCGfG3FxxNAgMBAAECgYA8W0GI5TuzOFDTutEJSwpvrdqz
    8Jq12345UW/ikjhF7iaxB2T/2+pjsjkVEVOG1DqZmaGGOZUEdi9Mb0VfwvbzI3vb
    NlDrAJTTEVSiAnxR1q0M12345/XLyRt5iIQTpIPIurJWoC01FuNkgd9+xpTrb4c0
    jUSQA6pwpNb8j89lgQJBAO3VBV1Cp6+fwp1dtf9isArcgxCpJqWxCY3fUVr/hIRR
    wP82TbEoWI3OgTFZSfdVVEfPw1ouHabphWgbZBjDXBECQQDtCrtcKLH+YAK8f2hI
    NKXz6+msyd/Od8eSdMcDdP4o1/mWeZbm41RulAgAnraqtMZ7XEvkUP2mpytOA2+e
    yKh9AkBaEUklx19fqD34gIuy+rm2c0oDXjuvlfsLSl4x+wBBaACR5gvIIoJeuay9
    dpYHX746L9lIZpx+IIOQKIdgxWMxAkEAo59C0UyuAL7ZZLA1lZHx87umo0T+HhEE
    S44cScCaKCtc94eaqGnHQEUiePsVcCQ01bZSFJnrXPwLomAwzlQIKQJAGGKsM5iO
    SZ137va9GUleRwofJuO7yiii4yumM38eHc+iaogOLqTr/VpAwoOGt50RWmNpzNR8
    VgeO+XtBF96FGA==
    -----END PRIVATE KEY-----</key>
    <cert>-----BEGIN CERTIFICATE-----
    MIID2zCCA0SgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBjjELMAkGA1UEBhMCVVMx
    CzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4tRnJhbmNpc2NvMRwwGgYDVQQKExNy
    ZWxpYWJsZWhvc3RpbmcuY29tMRAwDgYDVQQDEwdvdnBuMTk0MSowKAYJKoZIhvcN
    AQkB12345WNoaWVzQHJlbGlhYmxlaG9zdGluZy5jb20wHhcNMTIwMzI4MTkxOTAx
    WhcNMjIwMzI2MTkxOTAxWjCBjjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYw
    FAYDVQQHEw1TYW4tRnJhbmNpc2NvMRwwGgYDVQQKExNyZWxpYWJsZWhvc3Rpbmcu
    Y29tMRAwDgYDVQQDEwdvdnBuMTk0MSowKAYJKoZIhvcNAQkBFht0ZWNoaWVzQHJl
    bGlhYmxlaG9zdGluZy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANw4
    LlnFoYrKCpq3zwfXAanc+Sfs0sUskk3qWofiDb3KMS/yLPg7NSfUZiaD/CAmVKC2
    XC6QViuLL0T9QsXFF12345hqdqDgiQtNt2z/MbFsezlVLpSg0XJVMau1j0dPSgOI
    7qaEqPt14ONm35VQbSiJWGnz29m3lJJCGfG3FxxNAgMBAAGjggFFMIIBQTAJBgNV
    HRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQgQ2VydGlm
    aWNhdGUwHQYDVR0OBBYEFApxvW+j6OOjWgXdlFUwYROafnCYMIHDBgNVHSMEgbsw
    gbiAFIr9gkm5VX0U6iYO+uHNBK1frOfNo12345GRMIGOMQswCQYDVQQGEwJVUzEL
    MAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNhbi1GcmFuY2lzY28xHDAaBgNVBAoTE3Jl
    bGlhYmxlaG9zdGluZy5jb20xEDAOBgNVBAMTB292cG4xOTQxKjAoBgkqhkiG9w0B
    CQEWG3RlY2hpZXNAcmVsaWFibGVob3N0aW5nLmNvbYIJALdoA3BAcCvfMBMGA1Ud
    JQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQUFAAOBgQCS
    YIFOVLS7Gxq4rR9IBEacXVCctl9Y3HUFpC0dkdgOR8KwOUe1DG123WYyPx87ptLf
    zKCQ/5IfKpIC9/WeiAfxcGe++FMq/x1xDNGYi5803XjxOwQo6CIcWg+onHT/GVaP
    ZKuit2q/l9GOnJ8ZloayoDaHBMcfZaAMMugfLA/lmQ==
    -----END CERTIFICATE-----</cert>
    <tls-auth>-----BEGIN OpenVPN Static key V1-----
    69cc6b2028e1587cb675382c9b94ec1e
    d570c0a6c3db8029f45e05123451c713
    74982912345b2d92a2c55d803d63ea94
    90208cb50649c15c8689dcca70232666
    31f062c8b7ed5db1b1947ac7a7f10600
    eb25a27333016f42d6acfaff723a8287
    84bc4ed03c9200c7eff675d6eae98b36
    b219954dfe7532477dd468aab406fc5a
    1ba24cbc256cd9e3dd14ea50f68bff40
    1a73d16cd2d733049c1234526b5e4e90
    ac157d34343d90540902c3fb68bd8160
    3b12345858c498ae00405ddc9d87bb06
    49c5351030d25d2533712ef8cf53fe1d
    26dfe5699d88f9f47a57586e82a6b8b6
    abf5f931e281ece5cf26f0f8b12770ea
    2ba9ff3bc21aec5b65aaf836d870c4c4
    -----END OpenVPN Static key V1-----</tls-auth>

    (i changed part of the key, don't worry)



  • The key does not belong to the CA but to your certificate. Just import the CA without a private key.

    ca => CA certificate
    cert => User certificate
    key => User private key
    tls-auth => TLS static key

    http://www.packtpub.com/article/new-features-of-openvpn-2-1-and-2-2


Locked