Todo #14183: Update OpenVPN Wizard to match current certificate and OpenVPN options - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Target - All Closed Issues
24.03 Plus - All Closed Issues
24.03 Target - All Closed Issues
24.11 Plus - All Closed Issues
24.11 Plus - All Open Issues
24.11 Plus - Feedback Issues
24.11 Plus - Needs Attention/Work
24.11 Plus - New/Confirmed/In Progress Issues
24.11 Target - All Closed Issues
24.11 Target - All Open Issues
25.01 Plus - All Closed Issues
25.01 Plus - All Open Issues
25.01 Plus - Feedback Issues
25.01 Plus - Needs Attention/Work
25.01 Plus - New/Confirmed/In Progress Issues
25.01 Plus - Pull Request Review
25.01 Plus - Waiting on Merge
25.01 Target - All Closed Issues
25.01 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Todo #14183

closed

Update OpenVPN Wizard to match current certificate and OpenVPN options

Added by Jon Brown over 1 year ago. Updated over 1 year ago.

Status:

Resolved

Priority:

Normal

Assignee:

Jim Pingle

Category:

OpenVPN

Target version:

2.7.0

Start date:

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

23.05

Release Notes:

Default

Description

When running the OpenVPN wizard (VPN --> OpenVPN --> Wizards --> Type of Server: Local User Access ) On step 6 of 11, there is no option to enable Randomize Serial

Why should this be included?¶

when you edit the CA, or indeed create one manually, there is an option to enable Randomize Serial
I don't have the link, but I believe it is standard procedure to give certificates random serials IDs

Files

Download all files

step6of11.png (110 KB) step6of11.png		Jon Brown, 03/27/2023 07:50 AM
clipboard-202304011131-9nkgk.png (94.5 KB) clipboard-202304011131-9nkgk.png		Lev Prokofev, 04/01/2023 02:31 AM

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Jon Brown over 1 year ago

https://docs.netgate.com/pfsense/en/latest/certificates/ca.html

The current best practice is to randomize serial numbers so they are unpredictable. This also reduces the chances of generating two certificates with the same serial number in circumstances where the CA is moved between different hosts or signs certificates in multiple places.

Actions

Copy link

Updated by Jim Pingle over 1 year ago

Assignee set to Jim Pingle
Target version set to 2.7.0
Plus Target Version set to 23.05

I agree, we should either add that as an option or silently enable it by default.

That whole workflow is probably due for a review, there are likely other options for CA/Certs that need tweaked as well.

Actions

Copy link

Updated by Jim Pingle over 1 year ago

Subject changed from OpenVPN Wizard - Create CA step is missing 'Randomize Serial' to OpenVPN Wizard - Several areas out of date
Status changed from New to In Progress

Making this more general as there are a few other places that need updated as well. I went through and compared things and made quite a few changes. There are still a few options that are not 1:1 between all places (RADIUS, LDAP, CA, Certs, OpenVPN server) but it's closer now, and the more advanced options can be done manually if needed.

Commit coming momentarily.

Actions

Copy link

Updated by Jim Pingle over 1 year ago

Status changed from In Progress to Feedback
% Done changed from 0 to 100

Applied in changeset 0abc80b184bcf16387fb9befa1f5f4695280c561.

Actions

Copy link

Updated by Lev Prokofev over 1 year ago

File clipboard-202304011131-9nkgk.png clipboard-202304011131-9nkgk.png added

Changeset tested on

23.01-RELEASE (amd64)
built on Fri Feb 10 20:06:33 UTC 2023

The randomize serial option exists now, as well as the "common name" and "organization unit" fields.

Actions

Copy link

Updated by Jim Pingle over 1 year ago

Status changed from Feedback to Resolved

Actions

Copy link

Updated by Jim Pingle over 1 year ago

Tracker changed from Feature to Todo
Subject changed from OpenVPN Wizard - Several areas out of date to Update OpenVPN Wizard to match current certificate and OpenVPN options

Updating subject for release notes.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Todo #14183

Update OpenVPN Wizard to match current certificate and OpenVPN options

Why should this be included?¶

Updated by Jon Brown over 1 year ago

Updated by Jim Pingle over 1 year ago

Updated by Jim Pingle over 1 year ago

Updated by Jim Pingle over 1 year ago

Updated by Lev Prokofev over 1 year ago

Updated by Jim Pingle over 1 year ago

Updated by Jim Pingle over 1 year ago