Openvpn PKCS#12 (p12) user certificates empty (0KB)



  • I'm using pfsense 2.1.3 with OpenVPN Client Export Utility 1.2.11.

    If I use the client export option "Standard Configuration: Archive", the included p12 file will be empty (size 0KB, should be ~4KB).
    Same if I use cert manager to export the users p12.

    An seperate export of the root CA (2KB), user cert (2KB) and user key (2KB) still works, therefore I can hopefully create the PCKS#12 manually using openssl command, but I'd prefer to get the GUI working again.

    Any ideas why this happens? It was working last week and the only change I can remember was an update of the client export utility.

    Thanks!


  • Rebel Alliance Developer Netgate

    There haven't been any changes to the code of the package since April. The last two version changes were for windows installer binary changes only. It works for me on the current version

    Have you tried exporting other users? Or other VPNs? Are they all affected? Any errors in the system log?

    There should be three "v" buttons by a user cert. One for the cert, one for the key, and one for a .p12 bundle that is the ca+cert+key.



  • Thanks for your Feedback!

    @jimp:

    Have you tried exporting other users? Or other VPNs? Are they all affected? Any errors in the system log?

    I did a little bit more testing:
    If I create a new user + cert in pfsense, the export of the .p12 is still successfull. This means that only my existing users are affected by the problem.

    The certificates of these "old" users were not created on the pfsense itself but imported from an IPCOP. I used openssl command to get .pem files from the IPCOP .p12 files:
    openssl.exe pkcs12 -in IPCOPWarrior.p12 -nocerts -out IPCOPWarrior-key.pem
    openssl.exe pkcs12 -in IPCOPWarrior.p12 -nokeys -out IPCOPWarrior-cert.pem
    Thereafter I created the vpn users on pfsense and imported the certificate (copy&paste cert+key code).

    The openVPN access for these users is working, only the .p12 export is effected. I noticed that the cert manager doesn't show the line "user certificate" in the "name" column of these certs.
    Did I miss something during the import???

    @jimp:

    There should be three "v" buttons by a user cert. One for the cert, one for the key, and one for a .p12 bundle that is the ca+cert+key.

    I know, see my first posting: "An seperate export of the root CA (2KB), user cert (2KB) and user key (2KB) still works". Only the last button (Export p12) doesn't work…


  • Rebel Alliance Developer Netgate

    Any errors in the system log when you try to export a .p12?

    It must be something in the way the cert was imported. You might try to remove one of the imported certificates and then import it again.



  • @jimp:

    Any errors in the system log when you try to export a .p12?
    It must be something in the way the cert was imported. You might try to remove one of the imported certificates and then import it again.

    No entries in the system log. Is it possible to raise the loging level or to activate some kind of debug mode?

    I've already removed and reimported some of the IPCOP certificates with no success. I've also exported and reimported certificates created by pfsense, which was successfull. It definitely has something to do with the content of the IPCOP certificates…

    I also noticed the the distinguished name of the imported certificates is different to the one from the certificates created by pfsense (see attached screenshot).



Log in to reply