https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162011-01-11T19:16:06ZpfSense bugtrackerpfSense - Feature #1184: Certificate Manager - Ability to add nsCertType=SERVER extension to certificateshttps://redmine.pfsense.org/issues/1184?journal_id=46552011-01-11T19:16:06ZChris Buechlercbuechler@gmail.com
<ul><li><strong>Project</strong> changed from <i>pfSense Packages</i> to <i>pfSense</i></li></ul> pfSense - Feature #1184: Certificate Manager - Ability to add nsCertType=SERVER extension to certificateshttps://redmine.pfsense.org/issues/1184?journal_id=57462011-05-18T23:17:52ZRhys Rhavenrhys@rhavenindustrys.com
<ul></ul><p>+1 Request for this. I will correct though, not having ns-cert-type does not allow a MitM attack except from other VPN users who have valid keys.</p> pfSense - Feature #1184: Certificate Manager - Ability to add nsCertType=SERVER extension to certificateshttps://redmine.pfsense.org/issues/1184?journal_id=57482011-05-18T23:31:47ZJim Pingle
<ul></ul><p>This one is a bit tricky, I've looked into it before and came up empty. There doesn't seem to be a good way to do this purely using PHP's openssl functions, since the cert type and such is pulled from the openssl.cnf file on the filesystem, and it would have to be swapped around to do it as expected.</p>
<p>Suggestions are more than welcome for how to generate these in a one-off style consistent with the other code.</p> pfSense - Feature #1184: Certificate Manager - Ability to add nsCertType=SERVER extension to certificateshttps://redmine.pfsense.org/issues/1184?journal_id=67572011-08-17T11:33:39ZGeorge Macongeorge.macon@gtri.gatech.edu
<ul></ul><p>Since we know in advance what kinds of extensions we want, they should all be specified in the openssl.cnf, but in different sections. Then, when calling openssl_csr_new and openssl_csr_sign, as part of the $args array, include "x509_extensions" => "<group name>". This implies that there needs to be an option in the interface to select what kind of certificate you want. The default groups in openssl.cnf, "v3_ca" and "usr_crt" cover two of the possibilities. The final option, "server", would need to be added, probably following OpenVPN's EasyRSA openssl.cnf.</p> pfSense - Feature #1184: Certificate Manager - Ability to add nsCertType=SERVER extension to certificateshttps://redmine.pfsense.org/issues/1184?journal_id=67582011-08-17T11:38:52ZJim Pingle
<ul></ul><p>That may be possible, it would have to be tested to make sure it really works though. I haven't looked at this since my last note on the ticket but I had thought it also required some other changes in global variables, not just in a certain addressable section.</p> pfSense - Feature #1184: Certificate Manager - Ability to add nsCertType=SERVER extension to certificateshttps://redmine.pfsense.org/issues/1184?journal_id=72582011-10-27T14:41:10ZJim Pingle
<ul><li><strong>Assignee</strong> set to <i>Jim Pingle</i></li><li><strong>Target version</strong> set to <i>2.1</i></li></ul> pfSense - Feature #1184: Certificate Manager - Ability to add nsCertType=SERVER extension to certificateshttps://redmine.pfsense.org/issues/1184?journal_id=73392011-11-10T12:48:03ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Feedback</i></li></ul><p>This was implemented yesterday in 2.1 and merged into 2.0.1.</p>
<p><a class="external" href="https://github.com/bsdperimeter/pfsense/commit/7aaabd69b0dabc83fc535525bfd6200c3dd67245">https://github.com/bsdperimeter/pfsense/commit/7aaabd69b0dabc83fc535525bfd6200c3dd67245</a></p> pfSense - Feature #1184: Certificate Manager - Ability to add nsCertType=SERVER extension to certificateshttps://redmine.pfsense.org/issues/1184?journal_id=88532012-05-07T18:17:01ZChris Buechlercbuechler@gmail.com
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li></ul>