https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162011-02-06T09:38:05ZpfSense bugtrackerpfSense - Feature #1257: Handle encypted CA/Certificate private keyshttps://redmine.pfsense.org/issues/1257?journal_id=48662011-02-06T09:38:05ZBrad Langhorstbrad@langhorst.com
<ul></ul><p>upon further investigation, i see that the crt was not saved.</p>
<p>here's a bit of the config file.</p>
<pre><code>&lt;descr&gt;&lt;![CDATA[walden]]&gt;&lt;/descr&gt;<br /> &lt;caref&gt;4d460d3298bb2&lt;/caref&gt;<br /> &lt;crt/&gt;<br /> &lt;prv&gt;I REMOVED THIS ONE THE OTHER ONE IS BLANK&lt;/prv&gt;<br /> &lt;/cert&gt;</code></pre> pfSense - Feature #1257: Handle encypted CA/Certificate private keyshttps://redmine.pfsense.org/issues/1257?journal_id=48672011-02-06T09:41:32ZBrad Langhorstbrad@langhorst.com
<ul></ul><p>the title of this bug should be "certificate file is not properly generated or saved." using internal cert auth</p> pfSense - Feature #1257: Handle encypted CA/Certificate private keyshttps://redmine.pfsense.org/issues/1257?journal_id=48752011-02-07T09:06:44ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Rejected</i></li></ul><p>I can't replicate this - I can make certificates several different ways on current snapshots and they are complete inside of the config.</p>
<p>You might want to make a thread on the forum with more detail about exactly how you are creating the certificates, there may be something else going on, but the certificate generation code appears to be working properly.</p> pfSense - Feature #1257: Handle encypted CA/Certificate private keyshttps://redmine.pfsense.org/issues/1257?journal_id=48962011-02-08T13:35:04ZBrad Langhorstbrad@langhorst.com
<ul></ul><p>Seems to be related to importing of a certificate authority.</p>
<p>To isolate a bit... I created an internal certificate authority and generated a cert.<br />This one looks fine.</p>
<p>I still cannot create certs when i choose the pre-existing cert authority that I created outside of pfsense<br />(using openssl/tinyca2)</p>
<p>I looked for some kind of log to show what commands php is trying to run, but didn't find one.<br />How can i help debug this problem?</p> pfSense - Feature #1257: Handle encypted CA/Certificate private keyshttps://redmine.pfsense.org/issues/1257?journal_id=48972011-02-08T13:38:33ZJim Pingle
<ul></ul><p>When you imported the CA, did you import both the cert and private key of the CA?</p>
<p>All of the certificates are made in certs.inc. The code is laid out pretty well there, shouldn't be hard to see what commands are run.</p> pfSense - Feature #1257: Handle encypted CA/Certificate private keyshttps://redmine.pfsense.org/issues/1257?journal_id=48982011-02-08T13:49:19ZBrad Langhorstbrad@langhorst.com
<ul></ul><p>One more clarification...<br />I just checked and see that the private key is encrypted, so cert signing must fail since it never asks for a password.</p>
I can think of a few possible solutions
<ul>
<li>ask for a password before attempting to sign a new cert (my favorite option)</li>
<li>don't allow encrypted private keys (probably not a great idea), and reject an invalid key during import</li>
<li>don't allow creation of new certs if no usable key is available for the selected cert</li>
</ul>
<p>Certificate generation works if I paste in the unencrypted ca key, though this strikes me as a poor security practice.<br />At minimum, I think the user should be notified if the a new cert cannot be generated.</p> pfSense - Feature #1257: Handle encypted CA/Certificate private keyshttps://redmine.pfsense.org/issues/1257?journal_id=49022011-02-08T14:31:09ZJim Pingle
<ul><li><strong>Subject</strong> changed from <i>exported certificate files are empty</i> to <i>Handle encypted CA private keys</i></li><li><strong>Status</strong> changed from <i>Rejected</i> to <i>New</i></li><li><strong>Target version</strong> deleted (<del><i>2.0</i></del>)</li><li><strong>Affected Architecture</strong> <i>All</i> added</li><li><strong>Affected Architecture</strong> deleted (<del><i></i></del>)</li></ul><p>Not sure if this will make 2.0 or not. It may have to wait for 2.1 at this point, it may end up a documented limitation for 2.0 because it works fine for certificates made and managed in the GUI.</p> pfSense - Feature #1257: Handle encypted CA/Certificate private keyshttps://redmine.pfsense.org/issues/1257?journal_id=276102016-06-14T17:30:08ZChris Buechlercbuechler@gmail.com
<ul><li><strong>Tracker</strong> changed from <i>Bug</i> to <i>Feature</i></li></ul> pfSense - Feature #1257: Handle encypted CA/Certificate private keyshttps://redmine.pfsense.org/issues/1257?journal_id=403422019-04-04T14:55:20ZPeter Feichtinger
<ul></ul><p>I made a preliminary PR that adds support for encrypted private keys to the CA, certificate, and user managers.<br />Would love to get some feedback: <a class="external" href="https://github.com/pfsense/pfsense/pull/4062">https://github.com/pfsense/pfsense/pull/4062</a></p> pfSense - Feature #1257: Handle encypted CA/Certificate private keyshttps://redmine.pfsense.org/issues/1257?journal_id=416222019-08-16T15:12:58ZJim Pingle
<ul><li><strong>Subject</strong> changed from <i>Handle encypted CA private keys</i> to <i>Handle encypted CA/Certificate private keys</i></li></ul> pfSense - Feature #1257: Handle encypted CA/Certificate private keyshttps://redmine.pfsense.org/issues/1257?journal_id=422982019-09-11T14:07:36ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Pull Request Review</i></li><li><strong>Target version</strong> set to <i>2.5.0</i></li></ul> pfSense - Feature #1257: Handle encypted CA/Certificate private keyshttps://redmine.pfsense.org/issues/1257?journal_id=486012020-10-12T07:12:36ZRenato Botelhorenato@netgate.com
<ul><li><strong>Target version</strong> changed from <i>2.5.0</i> to <i>Future</i></li></ul><p>Moving to Future due to lack of activity on proposed Pull Request</p>