https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162022-03-31T14:28:48ZpfSense bugtrackerpfSense - Feature #13010: Option to retain the existing serial number when renewing a CA or certificatehttps://redmine.pfsense.org/issues/13010?journal_id=600882022-03-31T14:28:48ZJim Pingle
<ul><li><strong>Category</strong> changed from <i>OpenVPN</i> to <i>Certificates</i></li><li><strong>Assignee</strong> set to <i>Jim Pingle</i></li><li><strong>Priority</strong> changed from <i>Normal</i> to <i>Low</i></li></ul><p>It could perhaps be made optional but I've seen more trouble from retaining the serial than from changing it, though.</p>
<p>It might be better to have an option to exclude the CA serial number from being used in the authorityKeyIdentifier. There may be other ramifications from that, but it seems like a better idea than reusing a serial number.</p>
<p>Both could be options -- the serial on renew, the AKID part when creating the CA and perhaps also when renewing.</p> pfSense - Feature #13010: Option to retain the existing serial number when renewing a CA or certificatehttps://redmine.pfsense.org/issues/13010?journal_id=601422022-04-01T01:57:38ZEvren Yurtesen
<ul></ul><p>Excluding the CA serial from being used in future, in authorityKeyIdentifier, does not solve the immediate problem with existing certificates becoming invalid. But it could perhaps be implemented now so in future using random serials could be easier.</p>
<p>Perhaps it could be limited to CA serial only. It seems to be having a domino effect if it is changed. More and more people with aging CA certificates will hit this problem. It took me a while to understand why the renewed CA certificate from pfSense GUI did not allow connections anymore.</p>
<p>There is also a lot of confusing information in forums. For example this post claims the CA certificate can be renewed in place and suggests new certificate should just be given to clients only: <a class="external" href="https://forum.netgate.com/post/967192">https://forum.netgate.com/post/967192</a> : but this is clearly not the case right now.</p>
<p>What would be the worst issue if same serial is used for CA?</p> pfSense - Feature #13010: Option to retain the existing serial number when renewing a CA or certificatehttps://redmine.pfsense.org/issues/13010?journal_id=601592022-04-01T12:37:03ZJim Pingle
<ul></ul><p>Evren Yurtesen wrote in <a href="#note-2">#note-2</a>:</p>
<blockquote>
<p>Excluding the CA serial from being used in future, in authorityKeyIdentifier, does not solve the immediate problem with existing certificates becoming invalid. But it could perhaps be implemented now so in future using random serials could be easier.</p>
</blockquote>
<p>I agree, that's why I suggested we look into both. Though messing with AKID may not end up being feasible.</p>
<blockquote>
<p>Perhaps it could be limited to CA serial only. It seems to be having a domino effect if it is changed. More and more people with aging CA certificates will hit this problem. It took me a while to understand why the renewed CA certificate from pfSense GUI did not allow connections anymore.</p>
</blockquote>
<p>CA serial or intermediate serial would be the only ones that matter. Server and user certs should never reuse a serial number -- you'd have no way to revoke a bad one. Which is part of why it's also bad for a CA, though usually if a CA needs revoked the whole thing would need redone anyhow.</p>
<p>It's not pfSense that cares in that instance it's the clients and browser. Firefox and others refuse to allow a certificate to reuse the serial and since the GUI cert is self-signed it's effectively both a CA and a server cert. The same rules don't apply there as they would for a CA which signs multiple certs.</p>
<blockquote>
<p>There is also a lot of confusing information in forums. For example this post claims the CA certificate can be renewed in place and suggests new certificate should just be given to clients only: <a class="external" href="https://forum.netgate.com/post/967192">https://forum.netgate.com/post/967192</a> : but this is clearly not the case right now.</p>
</blockquote>
<p>That thread was before the other change was made, so at the time it was likely true since the CA serial wouldn't have changed on renew.</p>
<blockquote>
<p>What would be the worst issue if same serial is used for CA?</p>
</blockquote>
<p>It's more about what we don't know than what we do know. Some client software is pickier about it than others. Technically you're supposed to change serials when renewing but it's not clear in the specs if that applies to CAs as well as certs or just certs.</p>
<p>Adding an option to retain the CA serial when renewing should be OK so long as it isn't a self-signed server certificate type situation as with the GUI cert, and the GUI doesn't have a way to generate one of those at the moment anyhow. So the code just needs to make sure the function that generates the self-signed GUI cert gets a new serial, but for regular CA entries it should be optional.</p> pfSense - Feature #13010: Option to retain the existing serial number when renewing a CA or certificatehttps://redmine.pfsense.org/issues/13010?journal_id=603372022-04-11T15:06:15ZJim Pingle
<ul><li><strong>Tracker</strong> changed from <i>Bug</i> to <i>Feature</i></li><li><strong>Subject</strong> changed from <i>Renewing a self-signed CA force updates serial (serial update should be optional during renewal)</i> to <i>Option to retain the existing serial number when renewing a CA or certificate</i></li><li><strong>Status</strong> changed from <i>New</i> to <i>In Progress</i></li><li><strong>Affected Architecture</strong> deleted (<del><i>All</i></del>)</li></ul><p>Adding the GUI option to retain the serial on renew was simple, so I took that route. The other change seems to be a bit too intrusive and prone to error.</p> pfSense - Feature #13010: Option to retain the existing serial number when renewing a CA or certificatehttps://redmine.pfsense.org/issues/13010?journal_id=603382022-04-11T15:10:11ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>In Progress</i> to <i>Feedback</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>Applied in changeset <a class="changeset" title="Option to keep serial f/renew cert Fixes #13010 Defaults to keep serial for CA but not for certs." href="https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/ab7ad5f95edd943278d311f9daf5208c02cce9d0">ab7ad5f95edd943278d311f9daf5208c02cce9d0</a>.</p> pfSense - Feature #13010: Option to retain the existing serial number when renewing a CA or certificatehttps://redmine.pfsense.org/issues/13010?journal_id=603412022-04-11T15:23:48ZJim Pingle
<ul><li><strong>Target version</strong> set to <i>2.7.0</i></li><li><strong>Plus Target Version</strong> set to <i>22.05</i></li></ul> pfSense - Feature #13010: Option to retain the existing serial number when renewing a CA or certificatehttps://redmine.pfsense.org/issues/13010?journal_id=603972022-04-15T12:37:21ZChristopher Cope
<ul></ul><p>Tested on<br /><pre>
22.05-DEVELOPMENT (amd64)
built on Thu Apr 14 06:20:52 UTC 2022
FreeBSD 12.3-STABLE
</pre></p>
<p>and it works, but it doesn't prevent the user from reusing the serial and renewing the GUI cert. Maybe remove the option in that case or at least provide a warning?</p> pfSense - Feature #13010: Option to retain the existing serial number when renewing a CA or certificatehttps://redmine.pfsense.org/issues/13010?journal_id=604392022-04-18T08:07:41ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li></ul><p>Christopher Cope wrote in <a href="#note-7">#note-7</a>:</p>
<blockquote>
<p>Tested on<br />[...]</p>
<p>and it works, but it doesn't prevent the user from reusing the serial and renewing the GUI cert. Maybe remove the option in that case or at least provide a warning?</p>
</blockquote>
<p>It already has a warning about that in the option description and sets the default appropriately based on type (checked for CA, unchecked for certs).</p>