PKI : CA signing external CSR
I like the internal CA included with pfsense.
I would like to use it to also sign certificates for my servers.
I would like to import the Certificat Signing Request (CSR) generated on a server and use pfsense CA to generate the server certificate.
Other people did request this feature on the forum, example : https://forum.pfsense.org/index.php?topic=70122.0
I don't know if there is a command line to do it already.
Updated by Bruce Simpson over 5 years ago
+1 for this feature -- it's pretty much essential for implementing PKI across an infrastructure.
So I wanted to enrol an HPE 1920 workgroup switch in pfSense's CA today. I was unable to do this with the GUI. The device would not accept a pre-issued server certificate, but it would generate CSRs.
Whilst I was able to use openssl(1) from the command line to do this, it required spoofing the demoCA/ tree which the default OpenSSL config wants.
Also, the CA certificate and key are bound up in the config.xml. There is no direct way to expose them unless you have OpenVPN running, in which case they will be unpacked for its use.
The upside of doing thing this way is it is slightly more secure in one way -- the private key never leaves the external device.
The downside of doing things this way is that it breaks the PKI -- the certificate will be issued with a serial number which pfSense is unaware of, and its internal CA will also be unaware of the certificate.
Updated by Curtis Ruck over 5 years ago
+1. Some applications will generate a new private key internally, and only export the CSR, these applications do this to protect the private key, as trying to export pfsense generated & signed certificates leads to the private key existing in too many places (Even temporarily) for it to be securely used.
Updated by Tech Synedra over 4 years ago
+1 for that rather basic feature!
it should be easy to implement, there is already a similar package, that handles with similar tasks:
OpenVPN Client Export
This one handles Certificates and Keys on a commandline basis.
Here are the necessary steps to sign a CSR on an pfSense:
basically i know how to handle the request on the command line, but it would be great to have it done via the UI of pfSense.