pfSense » pfSense Packages

Note: I posted this initially on the Netgate forums. Several views but no feedback. Perhaps not many people set up a full CA to manage their certificates, or if they do they did not start with the pfSense-generated CA/Cert set and still have them active when switching to their root CA-set and exporting the OpenVPN Client config...?

Either your CA/Cert subjects are not unique and it formed an incorrect internal association on import, or you imported things incorrectly:

If the CA/Cert subject were not unique, then OpenSSL would complain. And how would improperly chained certs work properly for pfSense HTTPS Web GUI access and OpenVPN from Windows and iOS devices? Here are the CA/Cert Subjects for all 3 certs for your review (I replaced my domain name with X's, but the net effect is the same):

CA Root Subject: E = admin@XXX.XXX, CN = XXX Root Authorithy, O = XXX.XXX, L = Seattle, S = WA, C = US
Yes I know I misspelled Authority, but I'm not redoing my root CA cert for that. The certification path is XXX Root Authorithy since it is self-signed.

Intermediate CA Subject: E = admin@XXX.XXX, CN = XXX Intermediate Signing Authority #2, O = XXX.XXX, S = WA, C = US
The certification path is:

XXX Root Authorithy
   XXX Intermediate Signing Authority #2

The Cert (paired with the a private key) used for HTTPS and OpenVPN on my pfSense box has the following Subject: E = admin@XXX.XXX,
CN = sg-router.XXXX.me, O = XXX.XXX, S = WA, C = US. The issuer is listed as the Subject entry from XXX Intermediate Signing Authority #2 (my Intermediate CA). The certification path is:

XXX Root Authorithy
   XXX Intermediate Signing Authority #2

If there flaws in this chain, please let me know what I need to fix. I've been using these two CA certs for more than 3 years without problems. And the problem I'm seeing isn't with use of the CA certs, but with how the OpenVPN wizard exports them.

note that the certificate contains the complete CA chain (root and intermediate) along with the server certificate

Don't do this. Import each item separately.

Then why does the pfSense documentation say that is exactly how to do it, see: [[https://docs.netgate.com/pfsense/en/latest/book/certificates/certificate-authority-management.html]]

Here is the relevant text from the doc page:

Importing a Chained or Nested Certificate Authority
If the CA has been signed by an intermediary and not directly by a root CA, it may be necessary to import both the root and the intermediate CA together in one entry, such as:

-----BEGIN CERTIFICATE-----
[Subordinate/Intermediate CA certificate text]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Root CA certificate text]
-----END CERTIFICATE-----

Highly unlikely to be a bug.

Gertjan on the forum said he's willing to try a repro case, and I've posted details of my signing certs there too.

That particular document is outdated, the Cert Manager supports forming chains on its own now. I have a setup with intermediate certs and it works perfectly for me internally and in the export package (except for CRLs, but that's already got its own separate issue).

Jim Pingle wrote:

That particular document is outdated, the Cert Manager supports forming chains on its own now. I have a setup with intermediate certs and it works perfectly for me internally and in the export package (except for CRLs, but that's already got its own separate issue).

Did your export package case have both your chained CA certificates installed at the same time as a pfSense-generated CA (with a signed VPN certificate) that had been used previously? That may be a key part of the repro case.

As for the documentation being out of date: The advice on chained certificates is unchanged in both the March 26, 2020 (see page 145) and the June 09, 2020 (also on page 145) PDF versions of The pfSense Book (the June version is listed by Netgate as the newest version). How are users supposed to know that this is no longer required?? And just because it isn't required, does that mean it has stopped working for everyone who followed those directions? That is, are you saying everyone who has installed properly-signed certificates from a properly-chained CA certificate now needs to go back and install each CA certificate individually, else OpenVPN Export won't work?? If so, that is a fairly poor end-user experience, and should not only be documented in the manual, but also in the release notes where for the version where that was changed.

On the other hand, if the previously documented method for importing chained CA certificates should still work (which I hope is the case), then this is indeed a bug; one that I hope is fixed (along with the documentation). Again, this may only happen with the particular CA configuration on pfSense that I reported.

And why is the pfSense book 100% wrong about this (i.e. so out of date)? Why does it not warn people they need to change this, if the behavior is no longer supported?