SAN certificates created with pfSense GUI are invalid



  • Hi all,

    I have a system with multiple WANs and the WAN addresses have different DNS FQDNs so I created a certificate with two DNS type "Subject Alternative Names" but when I open the alternative URLs in my browsers (I use Firefox 29 and IE 11) I get certificate errors because the browsers don't read the subjectAltName.
    When I display the certificate I can see the SANs but they are in a different section compared to working SAN certificates.

    In Firefox for example a SAN certificate created with pfSense GUI shows the SANs in the Firefox "Certificate Viewer" as a comma separated list in
    [Certificate Name]->Certificate->Subject

    A working SAN certificate that doesn't give any errors when browsing to the SAN URLs (for example https://digicert.com) shows the SANs in a complete different section:
    [Certificate Name]->Certificate->Extensions->Certificate Subject Alt Name

    As the ones from pfSense are not working I either do something wrong or there is a bug in pfSense. Has someone ever managed to get this working with certificates generated with pfSense?
    I will try to generate the certificates directly with openssl command. an someone tell me where the pfSense generated certificates are stored so I can use them as reference for a manually created certificate?

    Thanks,
    Mike


  • Banned

    @ConfusedUser:

    As the ones from pfSense are not working I either do something wrong or there is a bug in pfSense

    https://redmine.pfsense.org/issues/3347



  • Thank you! So it's not only me experiencing this issue.

    I found a workaround for this bug to create the certificates in the exact same structure as pfSense does and the certificates fully integrate into the GUI but they are correct SAN certificates.
    I'll summarize and post step-by-step instructions here for those who want to create SAN certificates with the pfSense CA and want to have them integrated in the GUI.



  • Hi

    Do you mind posting the working around you found?

    Thanks.


Log in to reply