Bug #12475
open
OpenVPN Client Export does not show certificate without private key
Added by Denis Grilli 8 months ago.
Updated 4 months ago.
Category:
OpenVPN Client Export
Affected Architecture:
All
Description
When using the page https://<server>/vpn_openvpn_export.php to export an openvpn client config package only certificates with private key get shown in the list.
This is correct unless we want to use either the option "Use Microsoft Certificate Storage instead of local files." or "Use PKCS#11 storage device (cryptographic token, HSM, smart card) instead of local files." in which case is very likely that the certificate we have issued doesn't store the private key in the pfsense box. In fact we normally have the end user to create a .csr ( and store the private key in a smartcard) and issue the certificate using it.
I believe the reason for that is in the change has been made while ago to the src/etc/certs.inc file and the cert_build_list function that now doesn't add certificates without private key to the list.
When the "consumer" is "OPENVPN" the cert_build_list should add certificate without private key too or the openvpn_client_export package should use its own function to create the list of certificate compatible based on the option chosen to make the export.
- Project changed from pfSense to pfSense Packages
- Subject changed from openvpn_client_export doesn't show certificate without private key to OpenVPN Client Export does not show certificate without private key
- Category changed from OpenVPN to OpenVPN Client Export
- Release Notes deleted (
Default)
- Affected Version deleted (
2.5.x)
- Status changed from New to Pull Request Review
- Assignee set to Viktor Gurov
Can I ask why this fix is not on the public git repository?
Denis Grilli wrote in #note-4:
Can I ask why this fix is not on the public git repository?
It hasn't been merged yet as it's still under review. Once it gets merged it will be in the package (and public code repository).
Jim Pingle wrote in #note-5:
Denis Grilli wrote in #note-4:
Can I ask why this fix is not on the public git repository?
It hasn't been merged yet as it's still under review. Once it gets merged it will be in the package (and public code repository).
Apologies, I wasn't aware of the actual procedure... Thanks for taking the time to reply me back and for the job you guys doing.
Denis
- Status changed from Pull Request Review to Feedback
- Status changed from Feedback to New
- Assignee changed from Viktor Gurov to Jim Pingle
This has caused a problem, it's impossible to export a config now for a non-TLS RA config ("Remote Access (User Auth)"). Attempting to do so results in an error:
A private key cannot be empty if PKCS#11 or Microsoft Certificate Storage is not used.
To me, it's a simple fix to not do that check for servers using that mode.
- Status changed from New to Feedback
Fix pushed, will be available whenever the next build happens.
This change has caused yet another problem with exporting certificates from server_tls_user mode.
Two things I noticed when tracing this down:
To reproduce:
- Create a CA
- Create a user with a certificate signed by above CA
- Create a OpenVPN server with SSL/TLS + Auth user/pass (mode: server_tls_user)
- Try to export a client configuration for user with certificates
Also available in: Atom
PDF