pfSense

Hi Jim,
thanks for your reply.

Jim Pingle wrote:

That looks like a problem with your certificate. It can't read the time stamp from the certificate data.

Can you add other certificates to that CRL?

I can't add any certificate issued by the same CA to the relative revokation list

Can you try this on a 2.5.0 snapshot?

I'll try it ASAP.

Can you reproduce it with a fresh CA and Certificate?

Now, I've created a new "TEST-CA" and a new "test-certificate". The CRL relative to the "TEST-CA" works fine! I can add "test-certificate" to the CRL.

We may need a copy of the CA and Certificate since it's not something we can reproduce here.

If you need also the private key, I provide It in a private message because it's used for a VPN access.

I can assure that the CA and certificates that have this problem was generated in the same way of "TEST-CA" I talk above. They was generated in the same machine, not imported.

Now, I made another test: I've exported the CA and one certificate issued and I've reimported in another pfsense and the problem is the same also in the other machine!

But, what is wrong in this CA ???

I'm sorry if I waste your time if this isn't a bug, but I think that it's possible that It is.

Thanks,
Dario.

Nothing seems wrong in my CA:

#openssl rsa -in pfsense.pter.it.key -check -noout
RSA key ok

#openssl x509 -in pfsense.pter.it.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = pfsense.pter.it-internal-ca, C = IT, ST = Sicily, L = Palermo, O = PTER Srl, OU = IT
Validity
Not Before: Apr 12 18:01:22 2019 GMT
Not After : Apr 9 18:01:22 2029 GMT
Subject: CN = pfsense.pter.it-internal-ca, C = IT, ST = Sicily, L = Palermo, O = PTER Srl, OU = IT
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:dc:1b:7e:33:b3:cd:2d:cb:49:6b:e0:b5:9d:5c:
cb:51:21:39:83:63:9b:8a:e2:f2:c9:d9:b4:d3:94:
30:c2:32:ef:c8:69:d5:48:06:eb:90:4c:0c:02:47:
76:c1:20:54:d9:68:51:e5:45:3a:b4:09:de:8d:04:
1f:a7:bc:27:ec:75:38:4f:d4:70:d3:5d:c0:8f:c3:
51:21:2f:60:9c:9d:ad:ac:e8:f3:93:f7:ff:51:de:
11:d6:e1:2b:9c:2c:a7:0c:db:7f:94:cb:bf:a3:c3:
67:dc:2c:5c:5c:e9:7b:c9:1a:e3:99:c1:fb:d2:1f:
35:97:00:e4:7e:5f:d5:5c:92:fa:50:58:98:de:0c:
4b:0c:a2:d2:50:c2:20:19:ba:2f:e0:66:79:37:93:
1d:c5:38:30:da:04:a8:b4:05:be:fb:6d:25:b3:cc:
73:f8:8a:57:3e:0c:4c:4c:b2:0e:c2:56:7e:55:4f:
e9:7d:0a:73:01:55:d2:cc:33:3f:12:9f:39:9f:0b:
3e:b2:14:5e:cb:e9:fa:13:ac:82:48:1a:2a:1c:b8:
fc:d7:8e:a7:b0:34:ef:59:6b:dc:2c:f2:87:07:1d:
6e:f4:8b:22:f8:88:e8:8b:2c:99:a8:d6:58:d9:24:
45:64:ed:d5:e1:ea:5f:11:90:31:a6:56:3e:4f:8e:
6a:b5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
67:46:62:DA:1F:49:C7:1E:04:F4:48:7D:20:38:16:8A:08:2F:B0:51
X509v3 Authority Key Identifier:
keyid:67:46:62:DA:1F:49:C7:1E:04:F4:48:7D:20:38:16:8A:08:2F:B0:51
DirName:/CN=pfsense.pter.it-internal-ca/C=IT/ST=Sicily/L=Palermo/O=PTER Srl/OU=IT
serial:00

X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
03:1e:6f:b5:9d:f6:93:f3:f9:e2:ef:90:e5:45:40:a6:dc:5e:
07:79:c4:42:6d:e1:e2:0f:0b:cc:a8:af:7e:49:79:52:5c:af:
ce:f2:dd:67:a7:d5:a5:3a:9d:29:47:29:ed:3c:cf:4e:b3:65:
b9:18:ca:35:b0:ea:11:62:2f:e1:15:d4:ff:09:42:85:53:02:
43:4f:81:8f:35:66:79:a8:52:3f:91:1a:7f:cf:b3:d0:96:3d:
7e:0f:a7:54:80:80:6d:0e:8d:bc:e1:68:13:12:aa:ad:81:43:
98:7b:6b:49:81:de:28:42:18:15:86:b0:ee:3e:8c:e3:3e:10:
86:2d:d2:99:cf:ea:b6:67:a3:07:42:e2:78:e2:73:39:7f:ea:
ae:cb:78:c4:c9:65:e9:ba:ac:99:f0:e0:f0:d4:90:4e:2b:de:
68:07:2c:16:f1:14:b3:55:66:09:eb:cc:1e:77:60:d5:61:82:
8d:b2:2f:25:88:d3:f9:a9:d2:45:1e:c2:a2:9d:5a:f0:70:21:
ed:33:50:6e:7f:c2:5c:26:a2:80:4c:e8:3f:c5:a4:98:64:80:
c5:07:be:71:b6:1f:14:8c:bd:4d:63:10:09:67:fc:de:1a:21:
f3:19:5c:fb:d6:92:c8:54:7f:89:2b:d0:21:83:9a:bc:55:ad:
2c:6a:40:fe

Nothing looks obviously wrong in that, but still it's confusing the CRL routines somehow.

If you don't mind to send me that ca + ca private key + one cert (no key) which you can't revoke, I can test it here. Send it to (jimp) [at] {netgate}.{com} (without all the extra fluff there). Since it is sensitive, do not send it in the clear. Encrypt it first with GPG, my key can be found at https://keybase.io/jimp

Jim Pingle wrote:

Nothing looks obviously wrong in that, but still it's confusing the CRL routines somehow.

If you don't mind to send me that ca + ca private key + one cert (no key) which you can't revoke, I can test it here. Send it to (jimp) [at] {netgate}.{com} (without all the extra fluff there). Since it is sensitive, do not send it in the clear. Encrypt it first with GPG, my key can be found at https://keybase.io/jimp

I've sent you an email. Thanks !!!

Dario.