Feature #1184


Certificate Manager - Ability to add nsCertType=SERVER extension to certificates

Added by Joe Kelly almost 11 years ago. Updated over 9 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Release Notes:



I'm running psSense 2.0-BETA4 (i386) built on Mon Dec 20 20:21:46 EST 2010. Loving it so far!

I am setting up an OpenVPN server and I am using pfSense's Certificate Manager to create the certificates. I have created all of the necessary certificates and keys (e.g. ca, server, client) and configured the OpenVPN server on pfSense and an OpenVPN client on Windows XP.

When I set up the client configuration file, I used the sample client configuration file included with OpenVPN as a template. Then I changed certain settings as needed (e.g. remote server address).

Initially, I couldn't connect from the client. I tracked it down to this error in the OpenVPN log on the client side (confidential parts obfuscated with ###):

Fri Jan 07 09:46:13 2011 VERIFY nsCertType ERROR: /C=###/ST=###/L=###/O=###/, require nsCertType=SERVER

I was able to workaround the problem and successfully connect by commenting out (with a ';' character) the following line in the client configuration:

ns-cert-type server

The comment above that setting recommends using the setting (i.e. not commenting it out) to prevent a possible man in the middle attack:

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.

For now, I'm okay with commenting out that setting. However, I would prefer if pfSense's Certificate Manager would give you the option of adding extensions to certificates (in this case, the extension nsCertType=SERVER). As far as I know, there is no way to do it with the current web interface.

Feature Request: Could you please add this option to the Certificate Manager web interface?

Actions #1

Updated by Chris Buechler almost 11 years ago

  • Project changed from pfSense Packages to pfSense
Actions #2

Updated by Rhys Rhaven over 10 years ago

+1 Request for this. I will correct though, not having ns-cert-type does not allow a MitM attack except from other VPN users who have valid keys.

Actions #3

Updated by Jim Pingle over 10 years ago

This one is a bit tricky, I've looked into it before and came up empty. There doesn't seem to be a good way to do this purely using PHP's openssl functions, since the cert type and such is pulled from the openssl.cnf file on the filesystem, and it would have to be swapped around to do it as expected.

Suggestions are more than welcome for how to generate these in a one-off style consistent with the other code.

Actions #4

Updated by George Macon over 10 years ago

Since we know in advance what kinds of extensions we want, they should all be specified in the openssl.cnf, but in different sections. Then, when calling openssl_csr_new and openssl_csr_sign, as part of the $args array, include "x509_extensions" => "<group name>". This implies that there needs to be an option in the interface to select what kind of certificate you want. The default groups in openssl.cnf, "v3_ca" and "usr_crt" cover two of the possibilities. The final option, "server", would need to be added, probably following OpenVPN's EasyRSA openssl.cnf.

Actions #5

Updated by Jim Pingle over 10 years ago

That may be possible, it would have to be tested to make sure it really works though. I haven't looked at this since my last note on the ticket but I had thought it also required some other changes in global variables, not just in a certain addressable section.

Actions #6

Updated by Jim Pingle about 10 years ago

  • Assignee set to Jim Pingle
  • Target version set to 2.1
Actions #7

Updated by Jim Pingle about 10 years ago

  • Status changed from New to Feedback

This was implemented yesterday in 2.1 and merged into 2.0.1.

Actions #8

Updated by Chris Buechler over 9 years ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF