Feature #1192
closed
Certificate Manager - Ability to Encrypt Private Keys When Exporting
100%
Description
I'm currently running pfSense 2.0-BETA5 (i386) built on Tue Jan 11 15:17:51 EST 2011. I love the Certificate Manager and a nice feature to add would be the ability to optionally encrypt private keys when exporting them. When you click the export button, the system should prompt you with "Do you want to encrypt the exported private key?" If you answer "yes", the key should be encrypted, otherwise it should be unencrypted.
This command should encrypt the key (works for me, anyway): openssl rsa -in unencrypted.key -des3 -out encrypted.key
To reverse the encryption (not sure why you would want to do that...), use this: openssl rsa -in encrypted.key -out unencrypted.key
This feature would make it easier to ensure that unencrypted private keys aren't floating around all over the place.
Updated by Jim Pingle over 4 years ago
- Status changed from New to In Progress
- Assignee set to Jim Pingle
- Target version set to 2.5.0
Updated by Jim Pingle over 4 years ago
- Status changed from In Progress to Feedback
- % Done changed from 0 to 100
Applied in changeset 967733529244944d751003517a1e42fba1b29c07.
Updated by Viktor Gurov over 4 years ago
works ok, but it should hide exportpass field on non-edit (certificate import) page:
https://github.com/pfsense/pfsense/pull/4136
Updated by Jim Pingle over 4 years ago
- Status changed from Feedback to Pull Request Review
Updated by Renato Botelho over 4 years ago
- Status changed from Pull Request Review to Feedback
PR merged
Updated by Viktor Gurov over 4 years ago
Renato Botelho wrote:
PR merged
The password must be between 3 and 1023 characters long, otherwise you will get an openssl error:
$ openssl rsa -in shortpass.key -out p.key Enter pass phrase for shortpass.key: 140194656773248:error:28078065:UI routines:UI_set_result_ex:result too small:../crypto/ui/ui_lib.c:905:You must type in 4 to 1023 characters
PR to fix it:
https://github.com/pfsense/pfsense/pull/4147
Updated by Jim Pingle over 4 years ago
- Status changed from Feedback to Pull Request Review
Updated by Renato Botelho over 4 years ago
- Status changed from Pull Request Review to Feedback
- Assignee changed from Jim Pingle to Renato Botelho
By default openssl export uses DES-EDE3-CBC for encryption
This is not necessary, but if we want to avoid using any outdated encryption standards (to comply Suite B, CNSA),
we should avoid the old algorithms throughout the all system.
Updated by Jim Pingle over 4 years ago
- Status changed from Feedback to Pull Request Review
Updated by Renato Botelho over 4 years ago
- Status changed from Pull Request Review to Feedback
PR has been merged. Thanks!
Updated by Viktor Gurov about 4 years ago
- Status changed from Feedback to Resolved
Renato Botelho wrote:
PR has been merged. Thanks!
tested on 2.5.0.a.20200129.1414
export of encrypted private keys and PKCS#12 archives works OK