Project

General

Profile

Actions

Feature #13010

closed

Option to retain the existing serial number when renewing a CA or certificate

Added by Evren Yurtesen almost 2 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
Low
Assignee:
Category:
Certificates
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.05
Release Notes:
Default

Description

I believe this issue is related to Bug #11514 - "Renewing a self-signed CA or certificate does not update the serial number". The serial update should be an optional feature. Because when the serial is updated, all the user certificates created by the CA seem to become invalid for OpenVPN use.

The "X509v3 Authority Key Identifier" section of the client certificate has the serial of the CA certificate in client certificate. Serial was the only difference I saw between CLI updated CA cert vs GUI updated CA cert.

Updating CA certificate manually. Eg using:

openssl x509 -in ca.crt -days 36500 -out ca.crt.new -signkey ca.key

keeps the same serial and the resulting CA certificate can be used for OpenVPN connections with existing client certificates.

When CA is renewed using the GUI, OpenVPN client logs entries such as:

Mar 31 18:13:18 pfSense openvpn[37303]: VERIFY ERROR: depth=0, error=unable to get local issuer certificate: CN=openvpnsense, serial=1
Mar 31 18:13:18 pfSense openvpn[37303]: OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

Actions

Also available in: Atom PDF