Project

General

Profile

Feature #1192

Certificate Manager - Ability to Encrypt Private Keys When Exporting

Added by Joe Kelly almost 10 years ago. Updated 9 months ago.

Status:
Resolved
Priority:
Normal
Category:
Certificates
Target version:
Start date:
01/13/2011
Due date:
% Done:

100%

Estimated time:

Description

I'm currently running pfSense 2.0-BETA5 (i386) built on Tue Jan 11 15:17:51 EST 2011. I love the Certificate Manager and a nice feature to add would be the ability to optionally encrypt private keys when exporting them. When you click the export button, the system should prompt you with "Do you want to encrypt the exported private key?" If you answer "yes", the key should be encrypted, otherwise it should be unencrypted.

This command should encrypt the key (works for me, anyway): openssl rsa -in unencrypted.key -des3 -out encrypted.key

To reverse the encryption (not sure why you would want to do that...), use this: openssl rsa -in encrypted.key -out unencrypted.key

This feature would make it easier to ensure that unencrypted private keys aren't floating around all over the place.

Associated revisions

Revision 96773352 (diff)
Added by Jim Pingle 12 months ago

Add edit screen for Certificate entries.

  • Allows editing the name/descr. Implements #7861
  • Adds a (not stored) password field and buttons for exporting encrypted private
    keys and PKCS#12 archives. Implements #1192
  • More code optimization

Revision 8e4ad4c8 (diff)
Added by Viktor Gurov 9 months ago

encrypt exported key with AES-256. Issue #1192

History

#1 Updated by Jim Pingle 12 months ago

  • Status changed from New to In Progress
  • Assignee set to Jim Pingle
  • Target version set to 2.5.0

#2 Updated by Jim Pingle 12 months ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100

#3 Updated by Viktor Gurov 10 months ago

works ok, but it should hide exportpass field on non-edit (certificate import) page:
https://github.com/pfsense/pfsense/pull/4136

#4 Updated by Jim Pingle 10 months ago

  • Status changed from Feedback to Pull Request Review

#5 Updated by Renato Botelho 10 months ago

  • Status changed from Pull Request Review to Feedback

PR merged

#6 Updated by Viktor Gurov 10 months ago

Renato Botelho wrote:

PR merged

The password must be between 3 and 1023 characters long, otherwise you will get an openssl error:

$ openssl rsa -in shortpass.key -out p.key
Enter pass phrase for shortpass.key:
140194656773248:error:28078065:UI routines:UI_set_result_ex:result too small:../crypto/ui/ui_lib.c:905:You must type in 4 to 1023 characters

PR to fix it:
https://github.com/pfsense/pfsense/pull/4147

#7 Updated by Jim Pingle 10 months ago

  • Status changed from Feedback to Pull Request Review

#8 Updated by Renato Botelho 10 months ago

  • Status changed from Pull Request Review to Feedback
  • Assignee changed from Jim Pingle to Renato Botelho

By default openssl export uses DES-EDE3-CBC for encryption

This is not necessary, but if we want to avoid using any outdated encryption standards (to comply Suite B, CNSA),
we should avoid the old algorithms throughout the all system.

https://github.com/pfsense/pfsense/pull/4157

#9 Updated by Jim Pingle 10 months ago

  • Status changed from Feedback to Pull Request Review

#10 Updated by Renato Botelho 9 months ago

  • Status changed from Pull Request Review to Feedback

PR has been merged. Thanks!

#11 Updated by Viktor Gurov 9 months ago

  • Status changed from Feedback to Resolved

Renato Botelho wrote:

PR has been merged. Thanks!

tested on 2.5.0.a.20200129.1414

export of encrypted private keys and PKCS#12 archives works OK

Also available in: Atom PDF