CSR issues on 2.3



  • Hi,

    Some issues with the Certificate generation in 2.3 Alpha 20151201 snapshot…

    I generated what I thought to be a CSR, but the options provided in the new GUI are confusing...

    • No validity date should be showing, as the certificate has not yet been issued.

    • The icons on the right hand side should include something that clearly indicates access to the CSR.

    • Clicking the Export icon saves a blank .crt file, but should perhaps be saving the .req file instead.

    • Clicking anywhere on the pending certificate should open a window to view the certificate's details and to copy/paste the CSR in Base64 content

    • In my cert request, I had set country to CA, but somehow the CSR is generated with C=US

    The dashboard was showing a crash report after this, which I submitted.


  • Developer Netgate

    Thanks for the report.

    I made a number of changes to this page early this morning to resolve some errors I found in the Javascript.  I did not have time to test it much beyond ensuring that those errors had been resolved. I'll look into this later tonight.



  • Hi there,

    Submitted a bug yesterday which was stopping me creating a CSR as it was giving errors (this has now been fixed)

    my next issue with the 1st Dec snapshot is that once the CSR request is created you are unable to edit it to either view it or paste the reply back from the CA in there, When hitting the update button it simply refreshes the page, When I went back to the main page it said there was a crash and I submitted the crash report but it was for http://10.0.0.200/system_certmanager.php?act=csr&id=1

    Can this please be looked at

    Keep up the good work!

    Thanks!


  • Developer Netgate

    • This is the way 2.2.5 behaves so I will refer to that dev team

    • The right-most icon is used for signing the CSR. The choice of icon could be better.

    • Again 2.2.5 seems to behave in this way, so I will refer it to the dev team

    • Clicking the right-most icon now takes you to the cert details form (It was never "anywhere on the pending certificate" as far as I can tell)

    • Country configuration has been fixed



  • Thanks for the update.

    Confirmed #5 (country code) is working properly.

    I think for issue #1 that the problem is that the variable(s) that contain the certificate start/end dates are not cleared before processing the entry consequently are showing the same values as seen in the webConfigurator default self-signed certificate.

    I'll wait until #2,3,4 are addressed because the cert manager it is pretty much unusable in its current state.


  • Developer Netgate

    The other items were determined to be suspect in 2.2.x so we just updated 2.3 (largely) per your suggestions.

    Thanks


  • Rebel Alliance Developer Netgate

    1 - Steve_B added some code to hide the date for CSRs, it wasn't present it was re-using values from previous certificate entries
    2 - Icons reorderd and changed - the first icon is now a pencil, which should more clearly indicate that it's an edit function
    3 - Export options changed for CSR to export the request data instead, .p12 option hidden since it's irrelevant
    4 - That's handled via the edit function (See #2)
    5 - I confirmed country selection is working again now after Steve_B's last fixes

    Still some room for formatting improvement but it's better now.

    @awebster:

    the cert manager it is pretty much unusable in its current state.

    That's not true – you could always edit the data and copy/paste out the req -- just had to click the proper icon to get to that screen. There was no actual functional problem preventing its use among the listed items. CSRs are not frequently used in pfSense so there are likely to be more bugs along that path, working with internal certificates is the most common path and that has been working well.



  • Thanks for the update.
    I will give that a try.

    In 20151202 snapshot, there was no way to view the CSR, so I'm looking forward to the fixes.
    My utilisation scenario is a centralized CA issuing certificates to VPN endpoints. 
    I could always do a manual openssl key gen/csr/import, but would rather use the GUI, particularly if having remote users fill the fields in and send the resulting CSR for signature.



  • Its looking much better!
    Pencil icon is clear and concise as to its purpose.
    Export icon now works as expected.

    However, these issues remain:

    • Pasting certificate data into Final Certificate Data text box and clicking Update just reloads the page and the Final Certificate Data text box is empty.

    • Cosmetic: adjust the default width of the Signing request data and Final Certificate Data text boxes to not wrap the text.  See screen cap.



  • Developer Netgate

    Thanks. I have a fix for these and will push it out as soon as a local networking issue is resolved.



  • Update on the update…

    Text boxes look good now!

    But not out of the woods yet...
    Pasting the Final Certificate Data and clicking update gives an error:  "The field Descriptive name is required", and can't continue.
    See screenshot.



  • Developer Netgate

    I wondered about that but was unable to compare the behavior to 2.2.5 yesterday. Investigating now.


  • Developer Netgate

    The descriptive name field was missing from the CSR completion form. Should be fixed now.



  • Thanks, it works!

    Would be nice to retain the pencil icon for easy access to certificate contents for cutting/pasting when moving it from one box to another.


Log in to reply