CSR issues on 2.3

awebster

Hi,

Some issues with the Certificate generation in 2.3 Alpha 20151201 snapshot…

I generated what I thought to be a CSR, but the options provided in the new GUI are confusing...

• No validity date should be showing, as the certificate has not yet been issued.

• The icons on the right hand side should include something that clearly indicates access to the CSR.

• Clicking the Export icon saves a blank .crt file, but should perhaps be saving the .req file instead.

• Clicking anywhere on the pending certificate should open a window to view the certificate's details and to copy/paste the CSR in Base64 content

• In my cert request, I had set country to CA, but somehow the CSR is generated with C=US

The dashboard was showing a crash report after this, which I submitted.

Steve_B

Thanks for the report.

I made a number of changes to this page early this morning to resolve some errors I found in the Javascript.  I did not have time to test it much beyond ensuring that those errors had been resolved. I'll look into this later tonight.

cgtechuk

Hi there,

Submitted a bug yesterday which was stopping me creating a CSR as it was giving errors (this has now been fixed)

my next issue with the 1st Dec snapshot is that once the CSR request is created you are unable to edit it to either view it or paste the reply back from the CA in there, When hitting the update button it simply refreshes the page, When I went back to the main page it said there was a crash and I submitted the crash report but it was for http://10.0.0.200/system_certmanager.php?act=csr&id=1

Can this please be looked at

Keep up the good work!

Thanks!

Steve_B

• This is the way 2.2.5 behaves so I will refer to that dev team

• The right-most icon is used for signing the CSR. The choice of icon could be better.

• Again 2.2.5 seems to behave in this way, so I will refer it to the dev team

• Clicking the right-most icon now takes you to the cert details form (It was never "anywhere on the pending certificate" as far as I can tell)

• Country configuration has been fixed

awebster

Thanks for the update.

Confirmed #5 (country code) is working properly.

I think for issue #1 that the problem is that the variable(s) that contain the certificate start/end dates are not cleared before processing the entry consequently are showing the same values as seen in the webConfigurator default self-signed certificate.

I'll wait until #2,3,4 are addressed because the cert manager it is pretty much unusable in its current state.

Steve_B

The other items were determined to be suspect in 2.2.x so we just updated 2.3 (largely) per your suggestions.

Thanks

jimp

1 - Steve_B added some code to hide the date for CSRs, it wasn't present it was re-using values from previous certificate entries
2 - Icons reorderd and changed - the first icon is now a pencil, which should more clearly indicate that it's an edit function
3 - Export options changed for CSR to export the request data instead, .p12 option hidden since it's irrelevant
4 - That's handled via the edit function (See #2)
5 - I confirmed country selection is working again now after Steve_B's last fixes

Still some room for formatting improvement but it's better now.

@awebster:

the cert manager it is pretty much unusable in its current state.

That's not true – you could always edit the data and copy/paste out the req -- just had to click the proper icon to get to that screen. There was no actual functional problem preventing its use among the listed items. CSRs are not frequently used in pfSense so there are likely to be more bugs along that path, working with internal certificates is the most common path and that has been working well.

awebster

Thanks for the update.
I will give that a try.

In 20151202 snapshot, there was no way to view the CSR, so I'm looking forward to the fixes.
My utilisation scenario is a centralized CA issuing certificates to VPN endpoints. 
I could always do a manual openssl key gen/csr/import, but would rather use the GUI, particularly if having remote users fill the fields in and send the resulting CSR for signature.

awebster

Its looking much better!
Pencil icon is clear and concise as to its purpose.
Export icon now works as expected.

However, these issues remain:

• Pasting certificate data into Final Certificate Data text box and clicking Update just reloads the page and the Final Certificate Data text box is empty.

• Cosmetic: adjust the default width of the Signing request data and Final Certificate Data text boxes to not wrap the text.  See screen cap.

Steve_B

Thanks. I have a fix for these and will push it out as soon as a local networking issue is resolved.

awebster

Update on the update…

Text boxes look good now!

But not out of the woods yet...
Pasting the Final Certificate Data and clicking update gives an error:  "The field Descriptive name is required", and can't continue.
See screenshot.

Steve_B

I wondered about that but was unable to compare the behavior to 2.2.5 yesterday. Investigating now.

Steve_B

The descriptive name field was missing from the CSR completion form. Should be fixed now.

awebster

Thanks, it works!

Would be nice to retain the pencil icon for easy access to certificate contents for cutting/pasting when moving it from one box to another.