Project

General

Profile

Actions

Bug #15440

closed

CA certificates are not added to the Trust Store

Added by J Rey 7 months ago. Updated about 1 month ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Certificates
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
24.11
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

Actions #1

Updated by Jim Pingle 7 months ago

  • Project changed from pfSense Plus to pfSense
  • Subject changed from CA Certificate not adding to trust store to CA certificates are not added to the Trust Store
  • Category changed from Certificates to Certificates
  • Status changed from New to In Progress
  • Assignee set to Jim Pingle
  • Target version set to 2.8.0
  • Affected Plus Version deleted (24.03)
  • Plus Target Version set to 24.07

Looks like the behavior of certctl rehash changed and now it wipes out the contents of that directory when it did not do that in the past. So either we change it so we write out our custom entries after certctl rehash (in which case a manual invocation will wiped them again) or we write the CAs out slightly different so that certctl rehash pulls them in natually itself rather than us maintaining that separately.

I'm leaning toward the second approach which seems to work OK in testing here, placing the CA cert files in /usr/local/etc/ssl/certs with a crt extension and then when certctl rehash runs they end up in /etc/ssl/certs/ as before.

Actions #2

Updated by Jim Pingle 7 months ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100
Actions #3

Updated by Georgiy Tyutyunnik 7 months ago

tested the patch:
seems like imported ca is correctly recognised post-import as trusted only if you manually re-run 'certctl rehash' after importing

Actions #4

Updated by Jim Pingle 7 months ago

Georgiy Tyutyunnik wrote in #note-3:

tested the patch:
seems like imported ca is correctly recognised post-import as trusted only if you manually re-run 'certctl rehash' after importing

The CA manager already runs that when making any changes, but it can take several minutes to finish depending on the hardware (check the output of ps uxaww | grep certctl for example). Is it possible you didn't wait long enough for it to finish before testing?

Actions #5

Updated by Georgiy Tyutyunnik 7 months ago

I stand corrected.
patch works, wait time around 3 mins after adding a cert to trusted

Actions #6

Updated by Jim Pingle 7 months ago

  • Status changed from Feedback to Resolved
Actions #7

Updated by Jim Pingle 6 months ago

  • Plus Target Version changed from 24.07 to 24.08
Actions #8

Updated by Jim Pingle about 1 month ago

  • Plus Target Version changed from 24.08 to 24.11
Actions

Also available in: Atom PDF