Project

General

Profile

Actions

Bug #12475

open

OpenVPN Client Export does not show certificate without private key

Added by Denis Grilli 8 months ago. Updated 4 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
Category:
OpenVPN Client Export
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:
All

Description

When using the page https://<server>/vpn_openvpn_export.php to export an openvpn client config package only certificates with private key get shown in the list.

This is correct unless we want to use either the option "Use Microsoft Certificate Storage instead of local files." or "Use PKCS#11 storage device (cryptographic token, HSM, smart card) instead of local files." in which case is very likely that the certificate we have issued doesn't store the private key in the pfsense box. In fact we normally have the end user to create a .csr ( and store the private key in a smartcard) and issue the certificate using it.

I believe the reason for that is in the change has been made while ago to the src/etc/certs.inc file and the cert_build_list function that now doesn't add certificates without private key to the list.

When the "consumer" is "OPENVPN" the cert_build_list should add certificate without private key too or the openvpn_client_export package should use its own function to create the list of certificate compatible based on the option chosen to make the export.

Actions #1

Updated by Jim Pingle 8 months ago

  • Project changed from pfSense to pfSense Packages
  • Subject changed from openvpn_client_export doesn't show certificate without private key to OpenVPN Client Export does not show certificate without private key
  • Category changed from OpenVPN to OpenVPN Client Export
  • Release Notes deleted (Default)
  • Affected Version deleted (2.5.x)
Actions #3

Updated by Jim Pingle 8 months ago

  • Status changed from New to Pull Request Review
  • Assignee set to Viktor Gurov
Actions #4

Updated by Denis Grilli 6 months ago

Can I ask why this fix is not on the public git repository?

Actions #5

Updated by Jim Pingle 6 months ago

Denis Grilli wrote in #note-4:

Can I ask why this fix is not on the public git repository?

It hasn't been merged yet as it's still under review. Once it gets merged it will be in the package (and public code repository).

Actions #6

Updated by Denis Grilli 6 months ago

Jim Pingle wrote in #note-5:

Denis Grilli wrote in #note-4:

Can I ask why this fix is not on the public git repository?

It hasn't been merged yet as it's still under review. Once it gets merged it will be in the package (and public code repository).

Apologies, I wasn't aware of the actual procedure... Thanks for taking the time to reply me back and for the job you guys doing.

Denis

Actions #7

Updated by Viktor Gurov 6 months ago

  • Status changed from Pull Request Review to Feedback

Merged

Actions #8

Updated by Jim Pingle 5 months ago

  • Status changed from Feedback to New
  • Assignee changed from Viktor Gurov to Jim Pingle

This has caused a problem, it's impossible to export a config now for a non-TLS RA config ("Remote Access (User Auth)"). Attempting to do so results in an error:

A private key cannot be empty if PKCS#11 or Microsoft Certificate Storage is not used.

To me, it's a simple fix to not do that check for servers using that mode.

Actions #9

Updated by Jim Pingle 5 months ago

  • Status changed from New to Feedback

Fix pushed, will be available whenever the next build happens.

Actions #10

Updated by Jonathan Herlin 4 months ago

This change has caused yet another problem with exporting certificates from server_tls_user mode.

Two things I noticed when tracing this down: To reproduce:
  • Create a CA
  • Create a user with a certificate signed by above CA
  • Create a OpenVPN server with SSL/TLS + Auth user/pass (mode: server_tls_user)
  • Try to export a client configuration for user with certificates
Actions

Also available in: Atom PDF