Default webGUI SSL certificate lacks any keyusages??
-
I went to put a custom, CA-signed certificate into my pfSense 2.1 configuration. I did end up making an error with my first attempt and had to use the "Bad webGUI SSL certificate" https://forum.pfsense.org/index.php?topic=3079.0 thread to get back into pfSense. Basically I (assumed) I was missing the TLS Server Authentication extendedKeyUsage within my custom certificate after FF, Chrome, Opera, IE all started erroring out; telling me the certificate that they were getting couldn't be used for my specific purpose (TLS).
As a tangent topic, pfSense should reject either importing and/or using a certificate if it doesn't have the required keyUsages/extendedKeyUsages IMHO. ::)
Anyhow, for my 2nd attempt at a custom certificate I thought I'd pull out the default SSL certificate and ensure, my custom cert was an exact mirror of the default's keyUsages. Unfortunately when I exported the default, self-signed pfSense SSL certificate (and parsed it out) I didn't find any keyUsages or extendedKeyUsages within it at all. :o (WTH???) Not sure how this SSL cert is even working without any keyUsages or extendedKeyUsages. I'm not near my server now, but I'll post a parsed version of the default SSL certificate later.
Thinking I'm missing something here. Anyone else have a default SSL cert that contains keyusages/extendedKeyUsages??
K Joseph
-
In the end I did figure this out, but for reference: here's my default cert (edited to hide real cert data). There are no visible "keyUsage" or "extendedKeyUsage" sections. From what I see here this default certificate shouldn't work at all.
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
xx:xx:xx:xx:xx:xx:xx:xx
Signature Algorithm: sha256WithRSAEncryption
Issuer:
C=US
ST=Somewhere
L=Somecity
O=CompanyName
OU=Organizational Unit Name (eg, section)
CN=Common Name (eg, YOUR name)
emailAddress=Email Address
Validity
Not Before: xxx xx 03:10:58 2xxx GMT
Not After : xxx xx 03:10:58 2xxx GMT
Subject:
C=US
ST=Somewhere
L=Somecity
O=CompanyName
OU=Organizational Unit Name (eg, section)
CN=Common Name (eg, YOUR name)
emailAddress=Email Address
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:d7:5a:25:fc:b2:b3:4f:a5:74:de:1d:89:e0:98:
95:17:7f:af:xx:8d:d6:c6:2c:f7:09:cb:dc:ce:11:
89:6c:7c:63:42:58:27:cc:49:10:5d:af:df:12:75:
30:5f:4f:2e:c9:xx:4c:21:69:xx:61:66:34:b1:0c:
30:xx:1d:ce:da:2b:27:19:47:32:63:4a:89:55:3b:
xx:68:b5:51:af:38:2d:68:41:24:a4:d5:7a:14:9f:
10:81:75:xx:66:92:4e:19:xx1b:30:68:3c:2b:
5e:67:7a:cb:xx:4b:4a:34:d9:1b:d8:3e:8e:d3:cf:
d0:6c:58:b8:4a:16:ad:86:29
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
xx:C8:xx:9F:xx:C5:xx:31:xx:F5:xx:5B:xx:A3:xx:77:xx:69:xx:3B
X509v3 Authority Key Identifier:
keyid:A3:xx:26:xx:7D:xx:60:xx:9A:F5:xx:5B:5A:A3:xx:77:06:69:D7:3B
DirName:/C=US/ST=Somewhere/L=Somecity/O=CompanyName/OU=Organizational Unit Name (eg, section)/CN=Common Name (eg, YOUR name)/emailAddress=Email Address
serial:xx:xx:xx:xx:xx:xx:xx:xxX509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
0a:20:29:0e:09:32:ec:a7:89:88:a0:d7:d8:63:f1:eb:2f:cf:
54:0d:34:xx:93:57:54:9a:af:bc:9c:30:31:3d:2a:e9:85:01:
61:db:70:xx:48a6:93:b5:9a:xx:5a:8c:3e:3e:cf:11:fe:
c4:53:75:c7:f5:49:6d:74:15:b6:9e:80:33:1c:9c:8a:99:c1:
40:93:00:17:xx:7c:2d:02:9a:ba:ac:ea:7e:77:cd:3b:21:b2:
42:50:95:e4:f8:11:b2:93:e5:dd:38:xx:6c:15:74:59:cc
fd:4f:2d:e1:01:bf:98:d3:27:21:07:c8:30:1c:4b:8d:bb:4f:
c4:xxThe crazy part about this is I created a new CSR from pfSense. Here's what I see in the keyUsage section (there wasn't an extendedKeyUsage section):
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key EnciphermentThis CSR doesn't even contain the proper extendedKeyUsage (TLS Web Server Authentication), which is required for modern browsers to accept this certificate for the purpose of establishing a TLS connection. IMHO the certificate tool in pfSense seems broken if it isn't even requesting the correct keyUsage/extendedKeyUsage for the pfSense certificate.
To "fix" this (I have my own PKI) and forced in the correct extendedKeyUsage of TLS Web Server Authentication (not to mention adding the IP addresses for all LAN interfaces into the subjectAltName). Once I uploaded my corrected certificate it worked without issue.
K Joseph
-
Hi kjoseph
Any idea if this issue was fixed ? Doesn't seem to be
-
This hasn't been an issue for many years. Old certs are not magically replaced, however, you have to make a new certificate. For example, by running
pfSsh.php playback generateguicert
or make one manually in the GUI.