SSL certificate signed



  • Hi all,

    It never bother me until new version of Kaspersky IS came out and now I get bellow warning and requires prompts every time.
    This is what I found online http://www.itnotes.eu/?p=1570 which explains how to create free certificates.
    I went ahead and create one. At the end I have .cer file but on pfSense certification page its asking me about Certificate data and Private key data. When I paste in my public key I get error:

    The following input errors were detected:

    This certificate does not appear to be valid.
    The field Key data is required.

    What am I doing wrong?
    I'm just trying to get rid of this SSL warning prompt.

    Thanks






  • Netgate

    A certificate on a server requires a certificate and a private key. And, usually, and intermediate CA certificate.

    Both certificate and private key should be entered in the import certificate page.

    If you need an intermediate CA certificate, just import it as a CA - you will not have the private key so leave it blank.



  • @Derelict:

    A certificate on a server requires a certificate and a private key. And, usually, and intermediate CA certificate.

    Both certificate and private key should be entered in the import certificate page.

    If you need an intermediate CA certificate, just import it as a CA - you will not have the private key so leave it blank.

    Derelict,

    Thanks for the reply!

    So I got public key from their .cert file and pasted it as "Certificate data" but its giving me error that "This certificate does not appear to be valid."
    I guess what I don't understand is why on pfSense there's nowhere to upload that .cert file?



  • Netgate

    Get the certificate in PEM format.  It will look something like this:

    –---BEGIN CERTIFICATE-----
    MIIFTjCCBDagAwIBAgIQG1r/78gt1gbpG+qPmcKZxzANBgkqhkiG9w0BAQsFADCB
    kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
    A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNV
    BAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
    QTAeFw0xNTA4MTcwMDAwMDBaFw0xODA4MjIyMzU5NTlaMFoxITAfBgNVBAsTGERv
    bWFpbiBDb250cm9sIFZhbGlkYXRlZDEdMBsGA1UECxMUUG9zaXRpdmVTU0wgV2ls
    ZGNhcmQxFjAUBgNVBAMMDSoucGZzZW5zZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUA
    A4IBDwAwggEKAoIBAQDIzOkrFy7AHTUWqJdIF2IvDtTM8X3RTb8O52QG8sAokDCv
    u+ad3wgPCboJhUvLwDB9bUZ+/JIOV2tMNzcJ2h6IPRRfh/2RMV+aI3cdWgKxmB5d
    sZUZp22Tviwol145Ty5lEVkRFLVn6y5MLgj2Pju4q5hEUPBjoiMpufeyHM/NnWf0
    IWtuDFB+VlaApXnnpxhMejChdBQeAdUV6QZcHvQiVXn+EnQaj4l+kwwxaS+GwLA6
    TVC988yood/FG3yMu7RLgS6a9CeJ8f4SpGifg0JouTU5iR02MQwLyUhESQcl9yQ/
    ANERGLM7+giyJvAD9jpj/ErnZINgBmu+RpzK4NDbAgMBAAGjggHXMIIB0zAfBgNV
    HSMEGDAWgBSQr2o6lFoL2JDqElZz30O0Oija5zAdBgNVHQ4EFgQU3bK8mIZpBTqH
    JyRIxOK5ArpV220wDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0l
    BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCME8GA1UdIARIMEYwOgYLKwYBBAGyMQEC
    AgcwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNvbS9DUFMw
    CAYGZ4EMAQIBMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly9jcmwuY29tb2RvY2Eu
    Y29tL0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcmww
    gYUGCCsGAQUFBwEBBHkwdzBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5jb21vZG9j
    YS5jb20vQ09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNy
    dDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMCUGA1UdEQQe
    MByCDSoucGZzZW5zZS5vcmeCC3Bmc2Vuc2Uub3JnMA0GCSqGSIb3DQEBCwUAA4IB
    AQAhtYwrG8qpDDN3R+BkuRfULnzy3DB7MbzSukmtLo3QNrimOfuWepUKqa6Vabm6
    JrIGle0ehemGp3S6jWAS54FZnViobgaiQ4qYqXlNaCT73qHNSIGDszQBov6oHNo1
    aa+s+7e4hN5+fXnX9uscZ+afFfKHS8j4kg21pNEg5r3lIZg4flc5DtDhxeSor/0b
    9jx8D4yus/py2xnM9jy8z1C8EXpQPR+5PvMTpfEVJTgX4y+6P+9t5TEc+hgioGZQ
    GfFDnI0On9A0BYfpjnRKs8o2Y+7OEmSoAA3/fe8vOBaTLpGn5HGZJOj8QPmgud49
    oML3RbMw4y2L6ONLMpNFupVa
    -----END CERTIFICATE-----



  • Hi,

    Use this as a guide line : https://forum.pfsense.org/index.php?topic=63791.0 - it mentions an example with a certificate from StartSSL.

    I always used a self-generated certificate from pfSense - but already used a real -signed- certificate from StartSSL for my Portal page.

    I saw you message, so I decide to generate a valid certificate from StartSSL for my Web GUI pfSense access.

    My domain name, which also really exist on the net, is brit-hotel-fumel.net
    My host name (pfSense) is : "pfsense"

    First image :
    Add the Intermediate and Root certificate that you must obtain from StartSSL. (because I was already using one certificate from them for my portal interface, they ware already there for me).

    Next image:
    You obtain first from StartSSL a file called "ssl.key" - Keep this file, do not use it directly. Use the command openssl ….. or the tools from StartSSL to decrypt it (using the password you gave to StartSSL to generate it).

    The ssl.crt file goes into the first 'block' (Certificate data).
    Your ssl.key that you decrypted goes into the second block (Private key data).
    Give it also a name, like I did : "pfsense GUI Acces"

    You can see in the second image :
    The 'default' auto generated cert from pfSEnse which isn't used now anymore, so I could delete it.
    A second cert record for my portal interface : portal.brit-hotel-fumel.net
    A third cert record for my web GUI acces (pfsense.brit-hotel-fumel.net) which is, as you can see, generated today : 28 august, 2015 ;)

    After that, I was already using https acces, but I switch from the auto generated cert to the new StartSSL cert, and ..... looooo, no more warnings from my browser :)






  • @Gertjan:

    Hi,

    Use this as a guide line : https://forum.pfsense.org/index.php?topic=63791.0 - it mentions an example with a certificate from StartSSL.

    I always used a self-generated certificate from pfSense - but already used a real -signed- certificate from StartSSL for my Portal page.

    I saw you message, so I decide to generate a valid certificate from StartSSL for my Web GUI pfSense access.

    My domain name, which also really exist on the net, is brit-hotel-fumel.net
    My host name (pfSense) is : "pfsense"

    First image :
    Add the Intermediate and Root certificate that you must obtain from StartSSL. (because I was already using one certificate from them for my portal interface, they ware already there for me).

    Next image:
    You obtain first from StartSSL a file called "ssl.key" - Keep this file, do not use it directly. Use the command openssl ….. or the tools from StartSSL to decrypt it (using the password you gave to StartSSL to generate it).

    The ssl.crt file goes into the first 'block' (Certificate data).
    Your ssl.key that you decrypted goes into the second block (Private key data).
    Give it also a name, like I did : "pfsense GUI Acces"

    You can see in the second image :
    The 'default' auto generated cert from pfSEnse which isn't used now anymore, so I could delete it.
    A second cert record for my portal interface : portal.brit-hotel-fumel.net
    A third cert record for my web GUI acces (pfsense.brit-hotel-fumel.net) which is, as you can see, generated today : 28 august, 2015 ;)

    After that, I was already using https acces, but I switch from the auto generated cert to the new StartSSL cert, and ..... looooo, no more warnings from my browser :)

    Thanks for the replies guys!

    I also have pfsense.mydomain.net and what I don't understand is how to retrieve Private key data.
    As suggested StartSSL website once certificate was generated I followed their instructions and backed up using Chrome https://www.startssl.com/?app=25#4 and I have certificate.pfx file.

    How did you get ssl.crt and ss.key files?

    Tool box on StartSSL did not help me.

    ![startssl tool box.JPG](/public/imported_attachments/1/startssl tool box.JPG)
    ![startssl tool box.JPG_thumb](/public/imported_attachments/1/startssl tool box.JPG_thumb)


  • Netgate

    You can get the certificate using the "Retrieve Certificate" link there in the Toolbox on the left.

    Where the key is depends on how you generated the CSR.  Or did you let StartSSL create it?

    I've never done it that way.  I always generate CSRs locally and upload them (Keeping the private key with me the whole time).

    It generates an encrypted private key and gives you this command to decrypt it:

    openssl rsa -in ssl.key -out ssl.key

    –---BEGIN RSA PRIVATE KEY-----
    Proc-Type: 4,ENCRYPTED
    DEK-Info: AES-256-CBC,...
    -----END RSA PRIVATE KEY-----

    Worked for me.  I ended up with ssl.key containing the unencrypted rsa key in PEM format.

    That, coupled with the certificate you can get from "Retrieve Certificate" plus the intermediate certificate from "StartCom CA Certificates" (Both in the Toolbox) should be all you need. Their decryption tool worked for me too.

    ETA - It's easier just to generate a CSR using pfSense.  You can just put BS in the attributes (I just used Temp for everything except email.  There I used a@b.c.  CAs toss all that stuff anyway, replacing it with what they have verified.  All the CSR really needs to contain is the private key fingerprint.)



  • @Derelict:

    You can get the certificate using the "Retrieve Certificate" link there in the Toolbox on the left.

    Where the key is depends on how you generated the CSR.  Or did you let StartSSL create it?

    I've never done it that way.  I always generate CSRs locally and upload them (Keeping the private key with me the whole time).

    It generates an encrypted private key and gives you this command to decrypt it:

    openssl rsa -in ssl.key -out ssl.key

    –---BEGIN RSA PRIVATE KEY-----
    Proc-Type: 4,ENCRYPTED
    DEK-Info: AES-256-CBC,...
    -----END RSA PRIVATE KEY-----

    Worked for me.  I ended up with ssl.key containing the unencrypted rsa key in PEM format.

    That, coupled with the certificate you can get from "Retrieve Certificate" plus the intermediate certificate from "StartCom CA Certificates" (Both in the Toolbox) should be all you need. Their decryption tool worked for me too.

    ETA - It's easier just to generate a CSR using pfSense.  You can just put BS in the attributes (I just used Temp for everything except email.  There I used a@b.c.  CAs toss all that stuff anyway, replacing it with what they have verified.  All the CSR really needs to contain is the private key fingerprint.)

    When I click on "Retrieve Certificate" link under certificate I don't get anything (see attached screenshot).

    Entire certificate was done using StartSSL and Chrome was used to back it up so nothing was done locally (command line).



  • Netgate

    Then it hasn't been issued for some reason.



  • @Derelict:

    Then it hasn't been issued for some reason.

    Thanks, I will email them.



  • If you can't retrieve a certificate under "Retrieve Certificate" then nothing has been generated yet.
    First: goto the "Validations Wizard" and do a "Domaine name validation".
    Then: goto "Certificates Wizard", select "Web server SSL/TLS Certificate" and run it down.

    Normally, I let them generate the files.
    Because I have a "Debian Jessie" server, I execute the "openssl rsa -in ssl.key -out ssl.key" myself with a detail:
    I use this:

    openssl rsa -in ssl.key -out ssl-decrypted.key
    

    this way I keep the original encrypted key and the decrypted key. You'll be needing the 'ssl-decypted.key' file afterwards.

    I'll join an image to motivate you  ;)




  • @Gertjan:

    If you can't retrieve a certificate under "Retrieve Certificate" then nothing has been generated yet.
    First: goto the "Validations Wizard" and do a "Domaine name validation".
    Then: goto "Certificates Wizard", select "Web server SSL/TLS Certificate" and run it down.

    Normally, I let them generate the files.
    Because I have a "Debian Jessie" server, I execute the "openssl rsa -in ssl.key -out ssl.key" myself with a detail:
    I use this:

    openssl rsa -in ssl.key -out ssl-decrypted.key
    

    this way I keep the original encrypted key and the decrypted key. You'll be needing the 'ssl-decypted.key' file afterwards.

    I'll join an image to motivate you  ;)

    Nice motivation :)

    I was able to get "Retrieve Certificate" working and the reason was because I never finished the process :(
    Now after I have both enter and without any errors like before I still get invalid, how did you "force" your browser to use new certificate?


  • Netgate

    Did you install the Intermediate as a CA?

    Did you install the StartSSL certificate?

    Does pfSense recognize that the Cert is signed by the CA?

    Did you tell the webgui to use the new certificate in System > Advanced > Admin Access??

    Does the hostname you're browsing to exactly match either the CN or a SAN in the certificate?



  • @Derelict:

    Did you install the Intermediate as a CA?

    Did you install the StartSSL certificate?

    Does pfSense recognize that the Cert is signed by the CA?

    Did you tell the webgui to use the new certificate in System > Advanced > Admin Access??

    Does the hostname you're browsing to exactly match either the CN or a SAN in the certificate?

    :(

    So I went to check if I was using new certificate under System > Advanced > Admin Access and when I change from self generated to the one I created now I stuck and cannot login into pfsense interface. In chrome I get:

    **This webpage is not available

    ERR_CONNECTION_TIMED_OUT**

    Tried w/ pfsense ip https://192.168.1.1 as well as domain that matched certificate https://linux.mydomain.net:81


  • Netgate

    Tried w/ pfsense ip https://192.168.1.1 as well as domain that matched certificate https://linux.mydomain.net:81

    Connect to http://192.168.1.1/ and see what happens.

    Did you change the listening port?  You're trying https:// and https://host:81 there.



  • @JohnnyBeGood:

    ….. now I stuck and cannot login into pfsense interface. In chrome I get:

    Been there - seen that.

    My 'solution' : SSH intp pfSense. Option 8: shell.

    Type
    viconfig

    Find
    <protocol>https</protocol>
    Change it for
    <protocol>http</protocol>
    Save.
    Reboot.

    Warning : editing the config.xml is "not done" (thats why it works ;)).
    You are using editor vi - its somewhat special.



  • @Gertjan:

    @JohnnyBeGood:

    ….. now I stuck and cannot login into pfsense interface. In chrome I get:

    Been there - seen that.

    My 'solution' : SSH intp pfSense. Option 8: shell.

    Type
    viconfig

    Find
    <protocol>https</protocol>
    Change it for
    <protocol>http</protocol>
    Save.
    Reboot.

    Warning : editing the config.xml is "not done" (thats why it works ;)).
    You are using editor vi - its somewhat special.

    I'm glad I'm not the only one with this issue  ;)

    So using Putty SSH I tried to connect to 192.168.1.1 but it keeps timing out. I'm assuming that SSH deamon is not enabled.
    My next step would be to physically connect keyboard and monitor and try to connect that way. Are above steps the same?



  • @Derelict:

    Tried w/ pfsense ip https://192.168.1.1 as well as domain that matched certificate https://linux.mydomain.net:81

    Connect to http://192.168.1.1/ and see what happens.

    Did you change the listening port?  You're trying https:// and https://host:81 there.

    I did try connecting to http://192.168.1.1/ but it does not connect.
    Neither port 80 or 81 worked.



  • @JohnnyBeGood:

    I'm assuming that SSH deamon is not enabled.

    Possible.
    But not for me.
    A remote system without remote SSH enabled: unthinkable.
    SSH is not some kind of 'emergency back door' : its the main maintenance port of any system. (GUI is just the next best thing)
    For me, that is.  I guess its quiet usual for people born before 1970  ;)

    @JohnnyBeGood:

    My next step would be to physically connect keyboard and monitor and try to connect that way. Are above steps the same?

    Of course.



  • @Gertjan:

    @JohnnyBeGood:

    ….. now I stuck and cannot login into pfsense interface. In chrome I get:

    Been there - seen that.

    My 'solution' : SSH intp pfSense. Option 8: shell.

    Type
    viconfig

    Find
    <protocol>https</protocol>
    Change it for
    <protocol>http</protocol>
    Save.
    Reboot.

    Warning : editing the config.xml is "not done" (thats why it works ;)).
    You are using editor vi - its somewhat special.

    Thanks for this, you're a life saver! I thought I need to re-install it  :'(



  • @Derelict:

    Did you install the Intermediate as a CA?

    Did you install the StartSSL certificate?

    Does pfSense recognize that the Cert is signed by the CA?

    Did you tell the webgui to use the new certificate in System > Advanced > Admin Access??

    Does the hostname you're browsing to exactly match either the CN or a SAN in the certificate?

    Lets try this again since I got locked out  :(

    Did you install the Intermediate as a CA?
    I thought I did, please see attached screenshot.

    Does pfSense recognize that the Cert is signed by the CA?
    I think it does, please see attached.

    Did you tell the webgui to use the new certificate in System > Advanced > Admin Access??
    Everything was fine until I selected new certificate. After that that I was locked out until I tried Gertjan's solution.

    Does the hostname you're browsing to exactly match either the CN or a SAN in the certificate?
    When I created cert. it matched my pfSense hostname.

    Why did I got locked out once I selected new cert?







  • Netgate

    No.  You installed your certificate as a CA.  You need to install the StartSSL Class 1 Intermediate Server certificate as a CA.  Delete the Web gui linux from CAs and install this.

    http://www.startssl.com/certs/sub.class1.server.ca.pem

    –---BEGIN CERTIFICATE-----
    MIIF2TCCA8GgAwIBAgIHFxU9nqs/vzANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQG
    EwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERp
    Z2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2Vy
    dGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDcxMDE0MjA1NDE3WhcNMjIxMDE0MjA1
    NDE3WjCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzAp
    BgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNV
    BAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgU2VydmVy
    IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtonGrO8JUngHrJJj
    0PREGBiEgFYfka7hh/oyULTTRwbw5gdfcA4Q9x3AzhA2NIVaD5Ksg8asWFI/ujjo
    /OenJOJApgh2wJJuniptTT9uYSAK21ne0n1jsz5G/vohURjXzTCm7QduO3CHtPn6
    6+6CPAVvkvek3AowHpNz/gfK11+AnSJYUq4G2ouHI2mw5CrY6oPSvfNx23BaKA+v
    WjhwRRI/ME3NO68X5Q/LoKldSKqxYVDLNM08XMML6BDAjJvwAwNi/rJsPnIO7hxD
    KslIDlc5xDEhyBDBLIf+VJVSH1I8MRKbf+fAoKVZ1eKPPvDVqOHXcDGpxLPPr21T
    Lwb0pwIDAQABo4IBTDCCAUgwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
    BAMCAQYwHQYDVR0OBBYEFOtCNNCYsKuf9BtrCPfMZC7vDixFMB8GA1UdIwQYMBaA
    FE4L7xqkQFulF2mHMMo0aEPQQa7yMGkGCCsGAQUFBwEBBF0wWzAnBggrBgEFBQcw
    AYYbaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL2NhMDAGCCsGAQUFBzAChiRodHRw
    Oi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9jYS5jcnQwMgYDVR0fBCswKTAnoCWg
    I4YhaHR0cDovL2NybC5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMEMGA1UdIAQ8MDow
    OAYEVR0gADAwMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9w
    b2xpY3kucGRmMA0GCSqGSIb3DQEBCwUAA4ICAQCBnsOw7dxamNbdJb/ydkh4Qb6E
    qgEU+G9hCCIGXwhWRZMYczNJMrpVvyLq5mNOmrFPC7bJrqYV+vEOYHNXrzthLyOG
    FFOVQe2cxbmQecFOvbkWVlYAIaTG42sHKVi+RFsG2jRNZcFhHnsFnLPMyE6148lZ
    wVdZGsxZvpeHReNUpW0jh7uq90sShFzHs4f7wJ5XmiHOL7fZbnFV6uE/OoFnBWif
    CRnd9+RE3uCospESPCRPdbG+Q4GQ+MBS1moXDTRB6DcNoHvqC6eU3r8/Fn/DeA9w
    9JHPXUfrAhZYKyOQUIqcfE5bvssaY+oODVxji6BMk8VSVHsJ4FSC1/7Pkt/UPoQp
    FVh38wIJnvEUeNVmVl3HHFYTd50irdKYPBC63qi2V/YYI6bJKmbrjfP9Vhyt9uNr
    y3Kh4W22ktDuCCvWC7n/gqerdq+VlTRfNt7D/mB0irnaKjEVNCXBXm9V/978J+Ez
    8aplGZccQ9jnc9kiPtUp5dj45E3V8vKqzp9srSSI5Xapdg+ZcPY+6HNuVB+MadRp
    ZW2One/Qnzg9B4GnVX7MOETImdoP4kXpostFuxoY/5LxCU1LJAIENV4txvT50lX2
    GBXCkxllRLWOgdyll11ift/4IO1aCOGDijGIfh498YisM1LGxytmGcxvbJERVri+
    gGpWAZ5J6dvtf0s+bA==
    -----END CERTIFICATE-----

    After that, when you look at your certificate, it should show as being issued by that cert (Issuer)…

    ![Screen Shot 2015-09-17 at 10.19.58 PM.png](/public/imported_attachments/1/Screen Shot 2015-09-17 at 10.19.58 PM.png)
    ![Screen Shot 2015-09-17 at 10.19.58 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-09-17 at 10.19.58 PM.png_thumb)


  • Rebel Alliance Global Moderator

    You know you could of just used pfsense self signed cert.. All you have to do is install the pfsense CA into your machine so that certs signed by that CA are trusted.  There is no reason to get a cert from startssl or anyplace be it free or not.

    The only time you would need a cert from a public trusted CA would be for say our portal when clients that have not trusted pfsense CA would hit the page via https


  • Netgate

    That's your opinion. I get certs because I think it's inexcusable to have a user have to click through a certificate error. Trains them badly. With all the devices running around here and the amount of messing around I do, it's worth it to me to go through the yearly hassle of updating the certs with ones that won't throw errors at others.


  • Rebel Alliance Global Moderator

    Who said anything about users clicking through bad certs?  I completely agree with you.. Its my machine on a server I admin, I can trust whatever CA I want, now I don't get errors.. Don't have to add an exception, etc.

    Notice I did state if using for say a captive portal you would use a public trusted CA for that cert..

    Once you trust the CA none of the certs that CA would create would throw errors, etc..




  • I also had what most had.
    Added the Class 1 & 3 root certificate from  https://www.cacert.org/index.php?id=3 as CA's.
    Then I added the Certificate I generated :

    • Method is : Import an Existing Certificate

    • Descriptive name : SSL Firewall certificate

    • Certificate data :```
      -----BEGIN CERTIFICATE REQUEST-----
      MIIEYzCCAksCAQAwHjEcMBoGA1UEAxMTcnV0aGVyLmEzLXN5c3RlbS5ldTCCAiIw
      DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL22lqy5GkaYOudPFljPax00GRUN
      BRZxINqUbu2QZekW0YW6I+I08RAAr5Ihq7bV5Hp31HCWV62oNVc+bk3wlHPpan8B
      HqiSXw3sFTw9007qlBtB/WdUJCMSg36WTj4iRBQE2kQnPN4FyBWVqQ68aclC8/5N
      WLwG5SIALaJ3QkTm89Jmce3JbH0fUsw7HlfkvGY3twtvoD4c9m7dzvIgXtqoKe0y
      XRKbd3Tnl9cF0ZKDtRI9WCwPsynhxnjX8GghES13exajutw12WwDp5cL82J2usdC
      SEWG5LTBbNTvJrdEr/PduZ4brVnOx0U+04zeGNfvBIvNfEB4APz+lkDuVczht2De
      YlL4DOjYHS7oqCcVuAUa25O5NUNKT/qThNFQfAaBnpc6FRV8I65SqnzkwTn+tbPW
      HQ6OvGYBBoWGRttI7chatCw+4VHmBqRf3vTRl6+bBcRfI5PxrB67UW4AfNaDXlu1
      5KGPHkO8l0kXJjRzjwB36Ho0MH9IXKUvYQbxdoJ9wntyV7NjvN8CJg0C6rORAcxN
      7Xp28MGwxEW6xEghCozj99KgNKwnlEn5ynDdLf/LfkIkpaheJ3p26MPMWeAtfICD
      XuJBVmwjn8mpHgq7d3AZIVF5vkLF9JvXqREA0UAiutuV/eFBVlBgUWHVvy2nMcDZ
      LOaIWk5rboaSvtwnAgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAgEADV5FG87uRAbS
      8XowLqudKRIqNkftoUO/U7nhHSWj1XNKXdp6Y5e3U7BiJxYuKiZ3AuttyCMdBZ17
      28w6Vc/qsIRIvB//Xglj4ZRFLL+CKQ9PGX/w9lgtN9pEUSzl7LpKF2luvmySzDcD
      rULmUqB2Q6qyYgzMALK7eFLqnEYxeAXM6bw/64mvOoqviVFgtvMG3mx5QHBj98RS
      tOidaqwowKwfk112FXjikn/EKD2P5JI5zWkhHXNjha7YGCcxy/LwaubH3VnCz6bg
      HNoB6r1rGPwxz4YnspVOkCSPHdSHJiGCpwurF9zm4zNMk3SwbWtDW14dVoIXInIU
      tzdXfiS2UVPsgNtX3OQzt3LqwS+WiSFShjLKB3EgFHKibml99Bj+Ep55ptuhOkQt
      PRLo68VZV7tq03xvB2/pzCovQp06Fme8sZJyS6xVY7ir+YAyLsm+nwsRNktkiHWu
      NigfJhf6irRxwHf3lLXYgzEBRV7rzuxO2UxFeuluePZoXMZ7V3+zSQU3iKrpt8gp
      2P6tZbgJ/E/aQUPqokGgLXuRbpK3ywwebDSrWcc1LQCkQbBQylhWdcmHKylzhPzt
      k+yW2KNP69rQ1oobsTYyz9mHBHs5iT5vCz24K5TiIsToTqotVJGqFqsmujnEqD9w
      KgmjwdBTCEdpOcSLMwOxBiVvQ1LQ3fc=
      -----END CERTIFICATE REQUEST-----

    *   Private key data :```
    -----BEGIN RSA PRIVATE KEY-----
    MIIJK ....
    ...
    ...MP5nAc/8IcadB9YQ7U91stzaDblm04iBr
    -----END RSA PRIVATE KEY-----
    

    but when I select that certificate to be used the webConsole becomes inaccessible  :'(

    System log contains :

    Sep 22 22:10:39	php-fpm[77403]: /rc.restart_webgui: Creating rrd update script
    Sep 22 22:10:39	php-fpm[77403]: /rc.restart_webgui: The command '/usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf' returned exit code '255', the output was '2015-09-22 22:10:39: (network.c.549) SSL: couldn't read X509 certificate from '/var/etc/cert.pem''
    Sep 22 22:10:37	check_reload_status: webConfigurator restart in progress
    Sep 22 22:10:37	php-fpm[14674]: /system_advanced_admin.php: webConfigurator configuration has changed. Restarting webConfigurator.
    Sep 22 22:10:33	check_reload_status: Reloading filter
    

    Any idea what could be wrong … ?

    \T,



  • Maybe this?

    Sep 22 22:10:39 php-fpm[77403]: /rc.restart_webgui: The command '/usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf' returned exit code '255', the output was '2015-09-22 22:10:39: (network.c.549) SSL: couldn't read X509 certificate from '/var/etc/cert.pem''

    If it has a problem reading the file or the file is corrupt, that may trigger your issue.


  • Netgate

    You are trying to install a CSR (Certificate signing request) as a certificate.  You need to get the certificate issued to you and install that.

    –---BEGIN CERTIFICATE REQUEST-----



  • @Derelict:

    No.  You installed your certificate as a CA.  You need to install the StartSSL Class 1 Intermediate Server certificate as a CA.  Delete the Web gui linux from CAs and install this.

    http://www.startssl.com/certs/sub.class1.server.ca.pem

    –---BEGIN CERTIFICATE-----
    MIIF2TCCA8GgAwIBAgIHFxU9nqs/vzANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQG
    EwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERp
    Z2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2Vy
    dGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDcxMDE0MjA1NDE3WhcNMjIxMDE0MjA1
    NDE3WjCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzAp
    BgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNV
    BAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgU2VydmVy
    IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtonGrO8JUngHrJJj
    0PREGBiEgFYfka7hh/oyULTTRwbw5gdfcA4Q9x3AzhA2NIVaD5Ksg8asWFI/ujjo
    /OenJOJApgh2wJJuniptTT9uYSAK21ne0n1jsz5G/vohURjXzTCm7QduO3CHtPn6
    6+6CPAVvkvek3AowHpNz/gfK11+AnSJYUq4G2ouHI2mw5CrY6oPSvfNx23BaKA+v
    WjhwRRI/ME3NO68X5Q/LoKldSKqxYVDLNM08XMML6BDAjJvwAwNi/rJsPnIO7hxD
    KslIDlc5xDEhyBDBLIf+VJVSH1I8MRKbf+fAoKVZ1eKPPvDVqOHXcDGpxLPPr21T
    Lwb0pwIDAQABo4IBTDCCAUgwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
    BAMCAQYwHQYDVR0OBBYEFOtCNNCYsKuf9BtrCPfMZC7vDixFMB8GA1UdIwQYMBaA
    FE4L7xqkQFulF2mHMMo0aEPQQa7yMGkGCCsGAQUFBwEBBF0wWzAnBggrBgEFBQcw
    AYYbaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL2NhMDAGCCsGAQUFBzAChiRodHRw
    Oi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9jYS5jcnQwMgYDVR0fBCswKTAnoCWg
    I4YhaHR0cDovL2NybC5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMEMGA1UdIAQ8MDow
    OAYEVR0gADAwMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9w
    b2xpY3kucGRmMA0GCSqGSIb3DQEBCwUAA4ICAQCBnsOw7dxamNbdJb/ydkh4Qb6E
    qgEU+G9hCCIGXwhWRZMYczNJMrpVvyLq5mNOmrFPC7bJrqYV+vEOYHNXrzthLyOG
    FFOVQe2cxbmQecFOvbkWVlYAIaTG42sHKVi+RFsG2jRNZcFhHnsFnLPMyE6148lZ
    wVdZGsxZvpeHReNUpW0jh7uq90sShFzHs4f7wJ5XmiHOL7fZbnFV6uE/OoFnBWif
    CRnd9+RE3uCospESPCRPdbG+Q4GQ+MBS1moXDTRB6DcNoHvqC6eU3r8/Fn/DeA9w
    9JHPXUfrAhZYKyOQUIqcfE5bvssaY+oODVxji6BMk8VSVHsJ4FSC1/7Pkt/UPoQp
    FVh38wIJnvEUeNVmVl3HHFYTd50irdKYPBC63qi2V/YYI6bJKmbrjfP9Vhyt9uNr
    y3Kh4W22ktDuCCvWC7n/gqerdq+VlTRfNt7D/mB0irnaKjEVNCXBXm9V/978J+Ez
    8aplGZccQ9jnc9kiPtUp5dj45E3V8vKqzp9srSSI5Xapdg+ZcPY+6HNuVB+MadRp
    ZW2One/Qnzg9B4GnVX7MOETImdoP4kXpostFuxoY/5LxCU1LJAIENV4txvT50lX2
    GBXCkxllRLWOgdyll11ift/4IO1aCOGDijGIfh498YisM1LGxytmGcxvbJERVri+
    gGpWAZ5J6dvtf0s+bA==
    -----END CERTIFICATE-----

    After that, when you look at your certificate, it should show as being issued by that cert (Issuer)…

    DISCLAMER: I'm not trying to be an asshole or anything like that!

    I really appreciate your response but yet again using your instructions I got locked out. Can you or someone else explain (screenshot if possible) steps taken to get this working. I've tried so many explanations online and they all worked but this simple one seems such a road block! Call me dumb but I do not get where the problem is.

    I promise once I get it to work I will create a video tutorial so anyone can get it to work without any lock outs.



  • Here https://forum.pfsense.org/index.php?topic=63791.0 - last message, you will find a PDF with a lot of images.

    The PDF talks about adding a certificate for captive Portal access, but, I used it to add a certificate for WebGUI access.



  • @johnpoz:

    You know you could of just used pfsense self signed cert.. All you have to do is install the pfsense CA into your machine so that certs signed by that CA are trusted.  There is no reason to get a cert from startssl or anyplace be it free or not.

    The only time you would need a cert from a public trusted CA would be for say our portal when clients that have not trusted pfsense CA would hit the page via https

    I'm giving up on StartSSL and was wondering if you explain more this method "All you have to do is install the pfsense CA into your machine so that certs signed by that CA are trusted." ?


  • Netgate

    I'm giving up on StartSSL

    That's too bad.

    No certificate authority is going to work for you when you do things like upload CSRs as certificates, upload your certificate as both the certificate and intermediate CA cert.


  • Banned

    Perhaps this could eventually be automated with https://letsencrypt.org/ - someone's apparently already working on the port.


  • Rebel Alliance Global Moderator

    There is not much to go over - create a CA in the CA manager.  Create a Certificate and use as your web gui cert..

    Download that CA cert and put it in your trusted CAs on your machine.

    This is fine for your use, or even employee use that you would roll out this CA as trusted, but this is not really good for user of machines that you do not control - like captive portal with guests, etc.  For those such certs you need one by a public Trusted CA like verisign or startssl, etc.






  • hi;
    ok i had to do this for https filtering in pfsense i generated the key in pfsense and downloaded it then sudo to ca certs folder made new folder renamed key to .crt file and a etc /cert area then did sudo update-ca-certificates (ubuntu 18.04 based distro) to import and it worked with the message no perm key found or the like,
    because before doing this you can go nowhere in the net with out that key /crt in or the perm . so I killed https filter and went back to stock squid but still maybe having av scanner issue on fresh install pf 2.4.4 .
    A lot has changes for me with squid and the setup so still getting pass the new stuff. swore I read https filtering has to be on now as fixed clamav scanning issue I may be wrong but it is a good thing