Bug #1446
closed
Export of internal generated cerificate (crt) ist empty when made from encrypted CA key
Added by Claudio Thomas about 14 years ago.
Updated almost 13 years ago.
Affected Architecture:
i386
Description
After generating a own certificate the exported crt is empty.
How the problem can be reproduced:
- An own CA-certificate(self-signed) was already imported
- System->Cert Manager->Certificates:
- "add or import"
- Method: Create an internal certificate
- email-address and cn changed
- Save
- System->Cert Manager->Certificates:
- System->Cert Manager->Certificates:
- export crt => Received file is empty (0 Bytes)
This was checked with
pfSense 2.0-RC1 (i386) built on Tue Apr 19 23:03:17 EDT 2011
Files
- Status changed from New to Feedback
I performed that exact same sequence (imported a CA, generated a certificate, and exported) and I got the expected data, no empty files.
Check your config, see if the crt tag is actually empty there, maybe try a different browser and/or clear your cache if it's not empty in the config.
There must be something about either your imported CA or another part of your procedure that is causing the issue if it really is blank. Since I can't reproduce it exactly as above, more information is needed.
Tag in /cf/conf/config.xml is empty:
<cert>
<refid>4daeeb458a580</refid>
<descr><![CDATA[thomas_c]]></descr>
<caref>4dad3002120e0</caref>
<crt/>
<prv>LS0t...S0tCg==</prv>
</cert>
Tried to create with FF 3.6.16, Chrome 10.0.648.205 and IE 8.0.7600.16385 64-bit. Browser-Cache was always cleaned bevore.
The creation was done by using a self-signed CA-cert. The CA-Cert was imported before with "Import an existing Certification Authority" (crt+key).
If I "Create an internal Certification Authority" and use this to generate the cert, than the tag <cert> is not empty. So the problem seems be be the external CA-cert.
Is there anywhere a log that I could offer where the cert-generation (and problems) are logged?
Annexed the properties of the imported CA-certificate in case that the properties of the CA are the problem.
(created with openssl req -text -noout -in ca_20100621090523.crt )
Might be something specific to your CA then, hard to say without trying it out. I imported a CA I had made a long time ago in EasyRSA and I made certs from it just fine.
How exactly did you create your CA? Perhaps I can reproduce it if I make a CA the same way.
I thing I found the problem. The imported CA-private key was encrypted:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,84DB19C71CB1206D
lm6...ThJx2rNgUiCCJML3kzSQyN5NxRub0oaPlCxL8qyINtY7IW/scP
-----END RSA PRIVATE KEY-----
After replacing the key with the not encrypted version it runs without problems.
Now I remember that I aspected, that the UI asks me the password every time I want to generate a new cert.
Well, I suggest that when a "Certificate Private Key" is been imported, that the ASCI-content should be scanned to search the word "ENCRYPTED". If found the import should not be possible an explain the behavior with a warning.
Better would be to expand the config.xml with information that the private key is encrypted so that the UI can ask for the Password when trying to generate a new cert.
- Subject changed from Export of internal generated cerificate (crt) ist empty to Export of internal generated cerificate (crt) ist empty when made from encrypted CA key
Prompting for the password is too large of a change to try squeezing in at this point in the release cycle. I'll look into updating the input validation to reject an encrypted key.
- % Done changed from 0 to 100
- Status changed from Feedback to Resolved
Also available in: Atom
PDF
Updated by 
Updated by