Cert Manager Export Password



  • Dear Developers,

    It would enhance productivity (e. g., when working with client certificates via FreeRADIUS or HAProxy) if the Cert Manager in general could allow picking an export password for p12 password packages downloaded. OpenVPN Client Export contains a very nice model for this, but it is focused on OpenVPN as the only (very worthwhile) purpose.

    Regards,

    Michael



  • Hi,

    I would like to use pfSense User Manager and Certificate Manager to create a user and associated certificate for certificate based authentication for EAP-TLS WiFi and IKEv2.

    When importing a .p12 certificate identity into OS X Keychain Access .p12 file a password is required. However the pfSense User Manager and Certificate Manager does not provide an option to specify the password for the .p12 file.

    How can an password be specified for an .p12 export ?


  • Rebel Alliance

    I have this same issue on 2.3.2_1. Is there a solution or workaround?


  • Rebel Alliance

    I just add the password using openssl.  I think one of the work arounds is using the vpn export client.  I recall someone saying you could do it that way.  But just simple openssl command to add a password to your certs and just combine them into a .p12

    I thought I added this to doc file..
    Yeah I did
    https://doc.pfsense.org/index.php/Using_EAP_and_PEAP_with_FreeRADIUS

    Client Requires password on .p12

    If your client will not load the .p12 without a password on it, and space does not work you can add a password with openssl
        Just download user cert and key vs the p12 and with the ca cert use the following command
        openssl pkcs12 -export -certfile ca.crt -in user.crt -inkey user.key -out user.p12

    I use this to use eap-tls on my iphone and ipad - ios requires a password.



  • @johnpoz:

    I just add the password using openssl.  I think one of the work arounds is using the vpn export client.  I recall someone saying you could do it that way.  But just simple openssl command to add a password to your certs and just combine them into a .p12

    I thought I added this to doc file..
    Yeah I did
    https://doc.pfsense.org/index.php/Using_EAP_and_PEAP_with_FreeRADIUS

    Client Requires password on .p12

    If your client will not load the .p12 without a password on it, and space does not work you can add a password with openssl
        Just download user cert and key vs the p12 and with the ca cert use the following command
        openssl pkcs12 -export -certfile ca.crt -in user.crt -inkey user.key -out user.p12

    I use this to use eap-tls on my iphone and ipad - ios requires a password.

    Actually you can export a P 12 Right from PFsense, Then import that into Windows but just be sure to check "Mark this Key as Exportable"  Then go Export the Cert and set a password.


  • Rebel Alliance

    Yeah you can do it that way as well.  But there is no way that I know of to set the password as you export the p12 in cert manager on pfsense with password already on it.  You can do it in the openvpn export, but that is also a work around.



  • Just wanted to note I submitted a bug to request some joy on this: https://redmine.pfsense.org/issues/8492

    It's been helpful to have workarounds but they range from inconsistently effective to tedious.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy