How to create password protected user certificates using the cert manager?

sammy2ooo · Jul 3, 2013, 2:13 PM

Hello everybody

How can I create password protected user certificates? The thing is, you can't import user certificates to iPhone / iPhad without supplying a password (which is bad practice anyway).

And where are the certificates stored on the pfSense box anyway? Just coudn't find anything using 'find'.

Regards

Nachtfalke · Jul 3, 2013, 7:03 PM

Hi,

as far as I know you cannot password protect certificates on pfsense GUI. The certificates are not stored on pfsense itself - they are just stored in the config.xml. But you have the possibility to export the certificate + key on the GUI and the just place it on pfsense /tmp folder and use the openssl commands to make it password protected.

You are probably using Apple's ICU, right?

The openssl commands you can find here:
http://simonguest.com/2013/03/22/on-demand-vpn-using-openvpn-for-ios/

I tried with that documentation and openssl command and it worked.

sammy2ooo · Jul 4, 2013, 10:32 AM

Hi Nachtfalke, thanks for your reply. Stupid me… i might have guessed that.

kejianshi · Jul 5, 2013, 12:09 AM

Something called "TinyCA" will probably let you do what you need to do and import The Root CAs you produce into pfsense as well as the public and private certs it produces either password protected or not.

Its a pretty simple thing to use and you can run it out of most linux distros.

kejianshi · Jul 5, 2013, 12:22 AM

Also - The certs are found under system > cert manager.

From there you can export certs. Etc.

You can import certs to associate with users under user manager > edit user > add a cert (little + button)

From there you can cut and paste a cert generated externally.

Hope that helps.

sammy2ooo · Jul 5, 2013, 8:14 AM

Also - The certs are found under system > cert manager.
From there you can export certs. Etc.
You can import certs to associate with users under user manager > edit user > add a cert (little + button)
From there you can cut and paste a cert generated externally.

Well yes, thats obvious, I am aware of that. I am more wondering why there is an PKCS12 export function but no input field to supply a password. As 'openssl pkcs12' provides no generic method to create a bundle without password I guess easyrsa supplies an empty password (which later can cause problems when trying to import this bundles e.g. on iOS devices)

Therefor I would vote for a feature enhancement.

Something called "TinyCA" will probably let you do what you need to do and import The Root CAs you produce into pfsense as well as the public and private certs it produces either password protected or not.

I have decided to use openssl for that purpose

$ openssl pkcs12 -export -certilfe rootCA.crt -in userCert.crt -inkey userKey.key -out user.p12

kejianshi · Jul 5, 2013, 8:18 AM

That also works. Depends if you plan to manage a root CA often and create new user certs from it often. If you don't plan to make a habit of it, then a simple line command to issue a cert will work just fine.

jimp · Jul 9, 2013, 1:12 PM

.p12's usually import fine without a password in my experience. When prompted by whatever os (e.g. Windows) for a password I just leave it blank or enter a single space. Haven't had a problem doing that yet.

Not exactly a direct method, but the OpenVPN client export package can export a .p12 with a password. Just tick the box, enter a password, and get the config archive zip and you can pull it from there.

kejianshi · Jul 9, 2013, 4:21 PM

Thats a good way. Fairly convenient. Never thought of that one.