Project

General

Profile

Actions

Todo #14183

closed

Update OpenVPN Wizard to match current certificate and OpenVPN options

Added by Jon Brown over 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
OpenVPN
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.05
Release Notes:
Default

Description

When running the OpenVPN wizard (VPN --> OpenVPN --> Wizards --> Type of Server: Local User Access ) On step 6 of 11, there is no option to enable Randomize Serial

Why should this be included?

  • when you edit the CA, or indeed create one manually, there is an option to enable Randomize Serial
  • I don't have the link, but I believe it is standard procedure to give certificates random serials IDs


Files

step6of11.png (110 KB) step6of11.png Jon Brown, 03/27/2023 07:50 AM
clipboard-202304011131-9nkgk.png (94.5 KB) clipboard-202304011131-9nkgk.png Lev Prokofev, 04/01/2023 02:31 AM
Actions #1

Updated by Jon Brown over 1 year ago

https://docs.netgate.com/pfsense/en/latest/certificates/ca.html

The current best practice is to randomize serial numbers so they are unpredictable. This also reduces the chances of generating two certificates with the same serial number in circumstances where the CA is moved between different hosts or signs certificates in multiple places.
Actions #2

Updated by Jim Pingle over 1 year ago

  • Assignee set to Jim Pingle
  • Target version set to 2.7.0
  • Plus Target Version set to 23.05

I agree, we should either add that as an option or silently enable it by default.

That whole workflow is probably due for a review, there are likely other options for CA/Certs that need tweaked as well.

Actions #3

Updated by Jim Pingle over 1 year ago

  • Subject changed from OpenVPN Wizard - Create CA step is missing 'Randomize Serial' to OpenVPN Wizard - Several areas out of date
  • Status changed from New to In Progress

Making this more general as there are a few other places that need updated as well. I went through and compared things and made quite a few changes. There are still a few options that are not 1:1 between all places (RADIUS, LDAP, CA, Certs, OpenVPN server) but it's closer now, and the more advanced options can be done manually if needed.

Commit coming momentarily.

Actions #4

Updated by Jim Pingle over 1 year ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100
Actions #5

Updated by Lev Prokofev over 1 year ago

Changeset tested on

23.01-RELEASE (amd64)
built on Fri Feb 10 20:06:33 UTC 2023

The randomize serial option exists now, as well as the "common name" and "organization unit" fields.

Actions #6

Updated by Jim Pingle over 1 year ago

  • Status changed from Feedback to Resolved
Actions #7

Updated by Jim Pingle about 1 year ago

  • Tracker changed from Feature to Todo
  • Subject changed from OpenVPN Wizard - Several areas out of date to Update OpenVPN Wizard to match current certificate and OpenVPN options

Updating subject for release notes.

Actions

Also available in: Atom PDF