Handle encypted CA/Certificate private keys
when i export a certificate using
i get an empty file.
the private key downloads just fine.
#1 Updated by Brad Langhorst about 9 years ago
upon further investigation, i see that the crt was not saved.
here's a bit of the config file.
<prv>I REMOVED THIS ONE THE OTHER ONE IS BLANK</prv>
#3 Updated by Jim Pingle about 9 years ago
- Status changed from New to Rejected
I can't replicate this - I can make certificates several different ways on current snapshots and they are complete inside of the config.
You might want to make a thread on the forum with more detail about exactly how you are creating the certificates, there may be something else going on, but the certificate generation code appears to be working properly.
#4 Updated by Brad Langhorst about 9 years ago
Seems to be related to importing of a certificate authority.
To isolate a bit... I created an internal certificate authority and generated a cert.
This one looks fine.
I still cannot create certs when i choose the pre-existing cert authority that I created outside of pfsense
I looked for some kind of log to show what commands php is trying to run, but didn't find one.
How can i help debug this problem?
#6 Updated by Brad Langhorst about 9 years ago
One more clarification...
I just checked and see that the private key is encrypted, so cert signing must fail since it never asks for a password.
- ask for a password before attempting to sign a new cert (my favorite option)
- don't allow encrypted private keys (probably not a great idea), and reject an invalid key during import
- don't allow creation of new certs if no usable key is available for the selected cert
Certificate generation works if I paste in the unencrypted ca key, though this strikes me as a poor security practice.
At minimum, I think the user should be notified if the a new cert cannot be generated.
#7 Updated by Jim Pingle about 9 years ago
- Subject changed from exported certificate files are empty to Handle encypted CA private keys
- Status changed from Rejected to New
- Target version deleted (
- Affected Architecture All added
- Affected Architecture deleted (
Not sure if this will make 2.0 or not. It may have to wait for 2.1 at this point, it may end up a documented limitation for 2.0 because it works fine for certificates made and managed in the GUI.