Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Certificate 'private key data' not optional anymore ?

    Scheduled Pinned Locked Moved 2.1 Snapshot Feedback and Problems - RETIRED
    7 Posts 4 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      singerie
      last edited by

      Hello, i'm trying to setup strongvpn, but with the private key data not included in their config, i wonder if pfsense should set this 'option' as optional.

      Am i crazy or this make sense ?

      1 Reply Last reply Reply Quote 0
      • B
        bardelot
        last edited by

        What did they give you? I thought they started handing out inline configurations just a few weeks ago, where the certificate and key are included in the *.ovpn file.

        1 Reply Last reply Reply Quote 0
        • S
          singerie
          last edited by

          they don't include a key for the /system_certmanager.php

          only for the /system_camanager.php

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            you probably have those backwards. It's highly unlikely they gave you a CA key.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              @jimp:

              you probably have those backwards. It's highly unlikely they gave you a CA key.

              Yeah, they have to give you your certificate's key (or a .p12 file you can split), but they should never give you the CA key (that would give you the ability to generate certificates valid on their servers).

              1 Reply Last reply Reply Quote 0
              • S
                singerie
                last edited by

                this is what they gave me in their config:

                <ca>–---BEGIN CERTIFICATE-----
                MIIDkzCCAvygAwIBAgIJALdoA3BAcCvfMA0GCSqGSIb3DQEBBQUAMIGOMQswCQYD
                VQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNhbi1GcmFuY2lzY28xHDAa
                BgNVBAoTE3JlbGlhYmxlaG9zdGluZy5jb20xEDAOBgNVBAMTB292cG4xOTQxKjAo
                BgkqhkiG9w0BCQEWG3RlY2h12345cmVsaWFibGVob3N0aW5nLmNvbTAeFw0xMjAz
                MjgxOTE5MDFaFw0yMjAzMjYxOTE5MDFaMIGOMQswCQYDVQQGEwJVUzELMAkGA1UE
                CBMCQ0ExFjAUBgNVBAcTDVNhbi1GcmFuY2lzY28xHDAaBgNVBAoTE3JlbGlhYmxl
                aG9zdGluZy5jb20xEDAOBgNVBAMTB292cG4xOTQxKjAoBgkqhkiG9w0BCQEWG3Rl
                Y2hpZXNAcmVsaWFibGVob3N0aW5nLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
                gYkCgYEAvQwYhy8123452WhmanW1cDTtVXqQ6GaCgApfRjKy95qceWxl8vqXAkVF
                uej/vMxkPt7eT7MxJG+eaN8SUMBImAcq2/V2ejRQ4e6Sf42To/y9Fz4D1wHv+vk5
                kajByHRYNMVKy2hWTZzHKG18w9qPod0iPFkhg+AgSgKs7lPD6yUCAwEAAaOB9jCB
                8zAdBgNVHQ4EFgQUiv2CSblVfRTqJg764c0ErV+s580wgcMGA1UdIwSBuzCBuIAU
                iv2CSblVfRTqJg764c0ErV+s582hgZSkgZEwgY4xCzAJBgNVBAYTAlVTMQswCQYD
                VQQIEwJDQTEWMBQGA1UEBxMNU2FuLUZyYW5jaXNjbzEcMBoGA1UEChMTcmVsaWFi
                bGVob3N0aW5nLmNvbTEQMA4GA1UEAxMHb3Z12345NDEqMCgGCSqGSIb3DQEJARYb
                dGVjaGllc0ByZWxpYWJsZWhvc3RpbmcuY29tggkAt2gDcEBwK98wDAYDVR0TBAUw
                AwEB/zANBgkqhkiG9w0BAQUFAAOBgQBxPEG8XQz0X+gG1BjUkzkGkai8vcfwPEQq
                PMzbd3KVNUqpokJtDv5DxiBP+DM5aip/4PaiqbAVyifb7XZ8zDkxtDrsa3qfi4Vc
                8DErOZq/j/CuoGwXMchl0h8gpr77Zq3R4uXq+EFv20si76ClIykzXRhGIkICS1mb
                2hACWeCtDA==
                -----END CERTIFICATE-----</ca>
                <key>-----BEGIN PRIVATE KEY-----
                MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBANw4LlnFoYrKCpq3
                zwfXAanc+Sfs0sUskk3qWofiDb3KMS/yLPg7NSfUZiaD/CAmVKC2XC6QViuLL0T9
                QsXFF1NTzghqdqDgiQtNt2z/MbFsezlVLpSg0XJVMa12345PSgOI7qaEqPt14ONm
                35VQbSiJWGnz29m3lJJCGfG3FxxNAgMBAAECgYA8W0GI5TuzOFDTutEJSwpvrdqz
                8Jq12345UW/ikjhF7iaxB2T/2+pjsjkVEVOG1DqZmaGGOZUEdi9Mb0VfwvbzI3vb
                NlDrAJTTEVSiAnxR1q0M12345/XLyRt5iIQTpIPIurJWoC01FuNkgd9+xpTrb4c0
                jUSQA6pwpNb8j89lgQJBAO3VBV1Cp6+fwp1dtf9isArcgxCpJqWxCY3fUVr/hIRR
                wP82TbEoWI3OgTFZSfdVVEfPw1ouHabphWgbZBjDXBECQQDtCrtcKLH+YAK8f2hI
                NKXz6+msyd/Od8eSdMcDdP4o1/mWeZbm41RulAgAnraqtMZ7XEvkUP2mpytOA2+e
                yKh9AkBaEUklx19fqD34gIuy+rm2c0oDXjuvlfsLSl4x+wBBaACR5gvIIoJeuay9
                dpYHX746L9lIZpx+IIOQKIdgxWMxAkEAo59C0UyuAL7ZZLA1lZHx87umo0T+HhEE
                S44cScCaKCtc94eaqGnHQEUiePsVcCQ01bZSFJnrXPwLomAwzlQIKQJAGGKsM5iO
                SZ137va9GUleRwofJuO7yiii4yumM38eHc+iaogOLqTr/VpAwoOGt50RWmNpzNR8
                VgeO+XtBF96FGA==
                -----END PRIVATE KEY-----</key>
                <cert>-----BEGIN CERTIFICATE-----
                MIID2zCCA0SgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBjjELMAkGA1UEBhMCVVMx
                CzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4tRnJhbmNpc2NvMRwwGgYDVQQKExNy
                ZWxpYWJsZWhvc3RpbmcuY29tMRAwDgYDVQQDEwdvdnBuMTk0MSowKAYJKoZIhvcN
                AQkB12345WNoaWVzQHJlbGlhYmxlaG9zdGluZy5jb20wHhcNMTIwMzI4MTkxOTAx
                WhcNMjIwMzI2MTkxOTAxWjCBjjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYw
                FAYDVQQHEw1TYW4tRnJhbmNpc2NvMRwwGgYDVQQKExNyZWxpYWJsZWhvc3Rpbmcu
                Y29tMRAwDgYDVQQDEwdvdnBuMTk0MSowKAYJKoZIhvcNAQkBFht0ZWNoaWVzQHJl
                bGlhYmxlaG9zdGluZy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANw4
                LlnFoYrKCpq3zwfXAanc+Sfs0sUskk3qWofiDb3KMS/yLPg7NSfUZiaD/CAmVKC2
                XC6QViuLL0T9QsXFF12345hqdqDgiQtNt2z/MbFsezlVLpSg0XJVMau1j0dPSgOI
                7qaEqPt14ONm35VQbSiJWGnz29m3lJJCGfG3FxxNAgMBAAGjggFFMIIBQTAJBgNV
                HRMEAjAAMC0GCWCGSAGG+EIBDQQgFh5FYXN5LVJTQSBHZW5lcmF0ZWQgQ2VydGlm
                aWNhdGUwHQYDVR0OBBYEFApxvW+j6OOjWgXdlFUwYROafnCYMIHDBgNVHSMEgbsw
                gbiAFIr9gkm5VX0U6iYO+uHNBK1frOfNo12345GRMIGOMQswCQYDVQQGEwJVUzEL
                MAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNhbi1GcmFuY2lzY28xHDAaBgNVBAoTE3Jl
                bGlhYmxlaG9zdGluZy5jb20xEDAOBgNVBAMTB292cG4xOTQxKjAoBgkqhkiG9w0B
                CQEWG3RlY2hpZXNAcmVsaWFibGVob3N0aW5nLmNvbYIJALdoA3BAcCvfMBMGA1Ud
                JQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQUFAAOBgQCS
                YIFOVLS7Gxq4rR9IBEacXVCctl9Y3HUFpC0dkdgOR8KwOUe1DG123WYyPx87ptLf
                zKCQ/5IfKpIC9/WeiAfxcGe++FMq/x1xDNGYi5803XjxOwQo6CIcWg+onHT/GVaP
                ZKuit2q/l9GOnJ8ZloayoDaHBMcfZaAMMugfLA/lmQ==
                -----END CERTIFICATE-----</cert>
                <tls-auth>-----BEGIN OpenVPN Static key V1-----
                69cc6b2028e1587cb675382c9b94ec1e
                d570c0a6c3db8029f45e05123451c713
                74982912345b2d92a2c55d803d63ea94
                90208cb50649c15c8689dcca70232666
                31f062c8b7ed5db1b1947ac7a7f10600
                eb25a27333016f42d6acfaff723a8287
                84bc4ed03c9200c7eff675d6eae98b36
                b219954dfe7532477dd468aab406fc5a
                1ba24cbc256cd9e3dd14ea50f68bff40
                1a73d16cd2d733049c1234526b5e4e90
                ac157d34343d90540902c3fb68bd8160
                3b12345858c498ae00405ddc9d87bb06
                49c5351030d25d2533712ef8cf53fe1d
                26dfe5699d88f9f47a57586e82a6b8b6
                abf5f931e281ece5cf26f0f8b12770ea
                2ba9ff3bc21aec5b65aaf836d870c4c4
                -----END OpenVPN Static key V1-----</tls-auth>

                (i changed part of the key, don't worry)

                1 Reply Last reply Reply Quote 0
                • B
                  bardelot
                  last edited by

                  The key does not belong to the CA but to your certificate. Just import the CA without a private key.

                  ca => CA certificate
                  cert => User certificate
                  key => User private key
                  tls-auth => TLS static key

                  http://www.packtpub.com/article/new-features-of-openvpn-2-1-and-2-2

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.