5. Certificate 'private key data' not optional anymore ?

Certificate 'private key data' not optional anymore ?

  • S

    Hello, i'm trying to setup strongvpn, but with the private key data not included in their config, i wonder if pfsense should set this 'option' as optional.

    Am i crazy or this make sense ?

    0
  • B

    What did they give you? I thought they started handing out inline configurations just a few weeks ago, where the certificate and key are included in the *.ovpn file.

    0
  • S

    they don't include a key for the /system_certmanager.php

    only for the /system_camanager.php

    0
  • Rebel Alliance Developer Netgate

    you probably have those backwards. It's highly unlikely they gave you a CA key.

    0
  • C

    @jimp:

    you probably have those backwards. It's highly unlikely they gave you a CA key.

    Yeah, they have to give you your certificate's key (or a .p12 file you can split), but they should never give you the CA key (that would give you the ability to generate certificates valid on their servers).

    0
  • S

    this is what they gave me in their config:

    <ca>–---BEGIN CERTIFICATE-----
    MIIDkzCCAvygAwIBAgIJALdoA3BAcCvfMA0GCSqGSIb3DQEBBQUAMIGOMQswCQYD
    VQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNhbi1GcmFuY2lzY28xHDAa
    BgNVBAoTE3JlbGlhYmxlaG9zdGluZy5jb20xEDAOBgNVBAMTB292cG4xOTQxKjAo
    BgkqhkiG9w0BCQEWG3RlY2h12345cmVsaWFibGVob3N0aW5nLmNvbTAeFw0xMjAz
    MjgxOTE5MDFaFw0yMjAzMjYxOTE5MDFaMIGOMQswCQYDVQQGEwJVUzELMAkGA1UE
    CBMCQ0ExFjAUBgNVBAcTDVNhbi1GcmFuY2lzY28xHDAaBgNVBAoTE3JlbGlhYmxl
    aG9zdGluZy5jb20xEDAOBgNVBAMTB292cG4xOTQxKjAoBgkqhkiG9w0BCQEWG3Rl
    Y2hpZXNAcmVsaWFibGVob3N0aW5nLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
    gYkCgYEAvQwYhy8123452WhmanW1cDTtVXqQ6GaCgApfRjKy95qceWxl8vqXAkVF
    uej/vMxkPt7eT7MxJG+eaN8SUMBImAcq2/V2ejRQ4e6Sf42To/y9Fz4D1wHv+vk5
    kajByHRYNMVKy2hWTZzHKG18w9qPod0iPFkhg+AgSgKs7lPD6yUCAwEAAaOB9jCB
    8zAdBgNVHQ4EFgQUiv2CSblVfRTqJg764c0ErV+s580wgcMGA1UdIwSBuzCBuIAU
    iv2CSblVfRTqJg764c0ErV+s582hgZSkgZEwgY4xCzAJBgNVBAYTAlVTMQswCQYD
    VQQIEwJDQTEWMBQGA1UEBxMNU2FuLUZyYW5jaXNjbzEcMBoGA1UEChMTcmVsaWFi
    bGVob3N0aW5nLmNvbTEQMA4GA1UEAxMHb3Z12345NDEqMCgGCSqGSIb3DQEJARYb
    dGVjaGllc0ByZWxpYWJsZWhvc3RpbmcuY29tggkAt2gDcEBwK98wDAYDVR0TBAUw
    AwEB/zANBgkqhkiG9w0BAQUFAAOBgQBxPEG8XQz0X+gG1BjUkzkGkai8vcfwPEQq
    PMzbd3KVNUqpokJtDv5DxiBP+DM5aip/4PaiqbAVyifb7XZ8zDkxtDrsa3qfi4Vc
    8DErOZq/j/CuoGwXMchl0h8gpr77Zq3R4uXq+EFv20si76ClIykzXRhGIkICS1mb
    2hACWeCtDA==
    -----END CERTIFICATE-----</ca>
    <key>-----BEGIN PRIVATE KEY-----
    MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBANw4LlnFoYrKCpq3
    zwfXAanc+Sfs0sUskk3qWofiDb3KMS/yLPg7NSfUZiaD/CAmVKC2XC6QViuLL0T9
    QsXFF1NTzghqdqDgiQtNt2z/MbFsezlVLpSg0XJVMa12345PSgOI7qaEqPt14ONm
    35VQbSiJWGnz29m3lJJCGfG3FxxNAgMBAAECgYA8W0GI5TuzOFDTutEJSwpvrdqz
    8Jq12345UW/ikjhF7iaxB2T/2+pjsjkVEVOG1DqZmaGGOZUEdi9Mb0VfwvbzI3vb
    NlDrAJTTEVSiAnxR1q0M12345/XLyRt5iIQTpIPIurJWoC01FuNkgd9+xpTrb4c0
    jUSQA6pwpNb8j89lgQJBAO3VBV1Cp6+fwp1dtf9isArcgxCpJqWxCY3fUVr/hIRR
    wP82TbEoWI3OgTFZSfdVVEfPw1ouHabphWgbZBjDXBECQQDtCrtcKLH+YAK8f2hI
    NKXz6+msyd/Od8eSdMcDdP4o1/mWeZbm41RulAgAnraqtMZ7XEvkUP2mpytOA2+e
    yKh9AkBaEUklx19fqD34gIuy+rm2c0oDXjuvlfsLSl4x+wBBaACR5gvIIoJeuay9
    dpYHX746L9lIZpx+IIOQKIdgxWMxAkEAo59C0UyuAL7ZZLA1lZHx87umo0T+HhEE
    S44cScCaKCtc94eaqGnHQEUiePsVcCQ01bZSFJnrXPwLomAwzlQIKQJAGGKsM5iO
    SZ137va9GUleRwofJuO7yiii4yumM38eHc+iaogOLqTr/VpAwoOGt50RWmNpzNR8
    VgeO+XtBF96FGA==
    -----END PRIVATE KEY-----</key>
    <cert>-----BEGIN CERTIFICATE-----
    MIID2zCCA0SgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBjjELMAkGA1UEBhMCVVMx
    CzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4tRnJhbmNpc2NvMRwwGgYDVQQKExNy
    ZWxpYWJsZWhvc3RpbmcuY29tMRAwDgYDVQQDEwdvdnBuMTk0MSowKAYJKoZIhvcN
    AQkB12345WNoaWVzQHJlbGlhYmxlaG9zdGluZy5jb20wHhcNMTIwMzI4MTkxOTAx
    WhcNMjIwMzI2MTkxOTAxWjCBjjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYw
    FAYDVQQHEw1TYW4tRnJhbmNpc2NvMRwwGgYDVQQKExNyZWxpYWJsZWhvc3Rpbmcu
    Y29tMRAwDgYDVQQDEwdvdnBuMTk0MSowKAYJKoZIhvcNAQkBFht0ZWNoaWVzQHJl
    bGlhYmxlaG9zdGluZy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANw4
    LlnFoYrKCpq3zwfXAanc+Sfs0sUskk3qWofiDb3KMS/yLPg7NSfUZiaD/CAmVKC2
    XC6QViuLL0T9QsXFF12345hqdqDgiQtNt2z/MbFsezlVLpSg0XJVMau1j0dPSgOI
    7qaEqPt14ONm35VQbSiJWGnz29m3lJJCGfG3FxxNAgMBAAGjggFFMIIBQTAJBgNV
    HRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQgQ2VydGlm
    aWNhdGUwHQYDVR0OBBYEFApxvW+j6OOjWgXdlFUwYROafnCYMIHDBgNVHSMEgbsw
    gbiAFIr9gkm5VX0U6iYO+uHNBK1frOfNo12345GRMIGOMQswCQYDVQQGEwJVUzEL
    MAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNhbi1GcmFuY2lzY28xHDAaBgNVBAoTE3Jl
    bGlhYmxlaG9zdGluZy5jb20xEDAOBgNVBAMTB292cG4xOTQxKjAoBgkqhkiG9w0B
    CQEWG3RlY2hpZXNAcmVsaWFibGVob3N0aW5nLmNvbYIJALdoA3BAcCvfMBMGA1Ud
    JQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQUFAAOBgQCS
    YIFOVLS7Gxq4rR9IBEacXVCctl9Y3HUFpC0dkdgOR8KwOUe1DG123WYyPx87ptLf
    zKCQ/5IfKpIC9/WeiAfxcGe++FMq/x1xDNGYi5803XjxOwQo6CIcWg+onHT/GVaP
    ZKuit2q/l9GOnJ8ZloayoDaHBMcfZaAMMugfLA/lmQ==
    -----END CERTIFICATE-----</cert>
    <tls-auth>-----BEGIN OpenVPN Static key V1-----
    69cc6b2028e1587cb675382c9b94ec1e
    d570c0a6c3db8029f45e05123451c713
    74982912345b2d92a2c55d803d63ea94
    90208cb50649c15c8689dcca70232666
    31f062c8b7ed5db1b1947ac7a7f10600
    eb25a27333016f42d6acfaff723a8287
    84bc4ed03c9200c7eff675d6eae98b36
    b219954dfe7532477dd468aab406fc5a
    1ba24cbc256cd9e3dd14ea50f68bff40
    1a73d16cd2d733049c1234526b5e4e90
    ac157d34343d90540902c3fb68bd8160
    3b12345858c498ae00405ddc9d87bb06
    49c5351030d25d2533712ef8cf53fe1d
    26dfe5699d88f9f47a57586e82a6b8b6
    abf5f931e281ece5cf26f0f8b12770ea
    2ba9ff3bc21aec5b65aaf836d870c4c4
    -----END OpenVPN Static key V1-----</tls-auth>

    (i changed part of the key, don't worry)

    0
  • B

    The key does not belong to the CA but to your certificate. Just import the CA without a private key.

    ca => CA certificate
    cert => User certificate
    key => User private key
    tls-auth => TLS static key

    http://www.packtpub.com/article/new-features-of-openvpn-2-1-and-2-2

    0
Locked
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy