Bug #1446
closed
Export of internal generated cerificate (crt) ist empty when made from encrypted CA key
100%
Description
After generating a own certificate the exported crt is empty.
How the problem can be reproduced:- An own CA-certificate(self-signed) was already imported
- System->Cert Manager->Certificates:
- "add or import"
- Method: Create an internal certificate
- email-address and cn changed
- Save
- System->Cert Manager->Certificates:
- export key => OK
- System->Cert Manager->Certificates:
- export crt => Received file is empty (0 Bytes)
This was checked with
pfSense 2.0-RC1 (i386) built on Tue Apr 19 23:03:17 EDT 2011
Files
Updated by Jim Pingle about 14 years ago
- Status changed from New to Feedback
I performed that exact same sequence (imported a CA, generated a certificate, and exported) and I got the expected data, no empty files.
Check your config, see if the crt tag is actually empty there, maybe try a different browser and/or clear your cache if it's not empty in the config.
There must be something about either your imported CA or another part of your procedure that is causing the issue if it really is blank. Since I can't reproduce it exactly as above, more information is needed.
Updated by Claudio Thomas about 14 years ago
Tag in /cf/conf/config.xml is empty:
<cert>
<refid>4daeeb458a580</refid>
<descr><![CDATA[thomas_c]]></descr>
<caref>4dad3002120e0</caref>
<crt/>
<prv>LS0t...S0tCg==</prv>
</cert>
Tried to create with FF 3.6.16, Chrome 10.0.648.205 and IE 8.0.7600.16385 64-bit. Browser-Cache was always cleaned bevore.
The creation was done by using a self-signed CA-cert. The CA-Cert was imported before with "Import an existing Certification Authority" (crt+key).
If I "Create an internal Certification Authority" and use this to generate the cert, than the tag <cert> is not empty. So the problem seems be be the external CA-cert.
Is there anywhere a log that I could offer where the cert-generation (and problems) are logged?
Updated by Claudio Thomas about 14 years ago
- File ca_properties.txt ca_properties.txt added
Annexed the properties of the imported CA-certificate in case that the properties of the CA are the problem.
(created with openssl req -text -noout -in ca_20100621090523.crt )
Updated by Jim Pingle about 14 years ago
Might be something specific to your CA then, hard to say without trying it out. I imported a CA I had made a long time ago in EasyRSA and I made certs from it just fine.
How exactly did you create your CA? Perhaps I can reproduce it if I make a CA the same way.
Updated by Claudio Thomas about 14 years ago
I thing I found the problem. The imported CA-private key was encrypted:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,84DB19C71CB1206D
lm6...ThJx2rNgUiCCJML3kzSQyN5NxRub0oaPlCxL8qyINtY7IW/scP
-----END RSA PRIVATE KEY-----
After replacing the key with the not encrypted version it runs without problems.
Now I remember that I aspected, that the UI asks me the password every time I want to generate a new cert.
Well, I suggest that when a "Certificate Private Key" is been imported, that the ASCI-content should be scanned to search the word "ENCRYPTED". If found the import should not be possible an explain the behavior with a warning.
Better would be to expand the config.xml with information that the private key is encrypted so that the UI can ask for the Password when trying to generate a new cert.
Updated by Jim Pingle about 14 years ago
- Subject changed from Export of internal generated cerificate (crt) ist empty to Export of internal generated cerificate (crt) ist empty when made from encrypted CA key
Prompting for the password is too large of a change to try squeezing in at this point in the release cycle. I'll look into updating the input validation to reject an encrypted key.
Updated by Jim Pingle about 14 years ago
- % Done changed from 0 to 100
Applied in changeset 46698c3f3c5e3f2e98829757616ddda3ce779b6d.
Updated by Jim Pingle almost 13 years ago
- Status changed from Feedback to Resolved