OpenVPN Client Export does not show certificate without private key
When using the page https://<server>/vpn_openvpn_export.php to export an openvpn client config package only certificates with private key get shown in the list.
This is correct unless we want to use either the option "Use Microsoft Certificate Storage instead of local files." or "Use PKCS#11 storage device (cryptographic token, HSM, smart card) instead of local files." in which case is very likely that the certificate we have issued doesn't store the private key in the pfsense box. In fact we normally have the end user to create a .csr ( and store the private key in a smartcard) and issue the certificate using it.
I believe the reason for that is in the change has been made while ago to the src/etc/certs.inc file and the cert_build_list function that now doesn't add certificates without private key to the list.
When the "consumer" is "OPENVPN" the cert_build_list should add certificate without private key too or the openvpn_client_export package should use its own function to create the list of certificate compatible based on the option chosen to make the export.
Updated by Jim Pingle 8 months ago
- Project changed from pfSense to pfSense Packages
- Subject changed from openvpn_client_export doesn't show certificate without private key to OpenVPN Client Export does not show certificate without private key
- Category changed from OpenVPN to OpenVPN Client Export
- Release Notes deleted (
- Affected Version deleted (
Updated by Viktor Gurov 8 months ago
Updated by Denis Grilli 6 months ago
Jim Pingle wrote in #note-5:
Denis Grilli wrote in #note-4:
Can I ask why this fix is not on the public git repository?
It hasn't been merged yet as it's still under review. Once it gets merged it will be in the package (and public code repository).
Apologies, I wasn't aware of the actual procedure... Thanks for taking the time to reply me back and for the job you guys doing.
Updated by Jim Pingle 5 months ago
- Status changed from Feedback to New
- Assignee changed from Viktor Gurov to Jim Pingle
This has caused a problem, it's impossible to export a config now for a non-TLS RA config ("Remote Access (User Auth)"). Attempting to do so results in an error:
A private key cannot be empty if PKCS#11 or Microsoft Certificate Storage is not used.
To me, it's a simple fix to not do that check for servers using that mode.
Updated by Jonathan Herlin 4 months ago
This change has caused yet another problem with exporting certificates from server_tls_user mode.Two things I noticed when tracing this down:
- We are looking at $settings here which var_dumped to NULL iirc, we should probably look at $srvcfg['authmode'] as $srvcfg is defined inside the if statement on line 201 and used here: https://github.com/pfsense/FreeBSD-ports/blob/641248d8930979e14fd8142ea2e771d12c20f18e/security/pfSense-pkg-openvpn-client-export/files/usr/local/www/vpn_openvpn_export.php#L258
- When the above is true, the $cert variable is set to a string with the id of the certificate. So we are not expecting it to contain $cert['prv']. https://github.com/pfsense/FreeBSD-ports/blob/641248d8930979e14fd8142ea2e771d12c20f18e/security/pfSense-pkg-openvpn-client-export/files/usr/local/www/vpn_openvpn_export.php#L263
- Create a CA
- Create a user with a certificate signed by above CA
- Create a OpenVPN server with SSL/TLS + Auth user/pass (mode: server_tls_user)
- Try to export a client configuration for user with certificates