Bug #6453
closed
Auto-created certs not updated as needed by system, nor viewed/fixed easily by user
0%
Description
I happened to be checking the certs on my router, and noticed the main webconfigurator cert was 1024 bits, which has been considered unsuitable for a few years. The reason was that it was created under pfSense 2.0.x, which used 1024 bit certs and 2000 day lifetime. In 2.1 this was upgraded to 2048 bits but system_webgui_start() only checks for existence, it doesn't check for minimum acceptability. Therefore 2.1 new install had a 2048 bit key but 2.0 upgraded to 2.1 kept an outdated key size and a lifespan of about 5.5 years.
The user, even if they notice this, can't easily fix it through the certificate manager because there isn't an obvious way to delete, revoke, or regenerate a problematic non-user-created cert (the inbuilt CA doesn't appear in the revocation page either so the old cert can't be added there). I don't know if the same issue would arise with a compromised system-generated cert but I suppose it could.
As I don't know whether the web configurator is sensitive to deletion or change of its certificate (eg before it is started), and I don't know what other certs might have similar problems, I'm redmining this instead. It raises several questions:
- Key size adequacy for system-created certs probably needs checking explicitly during config upgrades (like any other old data detected when config.xml is brought up to the latest version), since that's when new key specs would be amended in the codebase anyway;
- There's also a bit of a concern whether the system correctly exires and recreates old system-created certificates. For example, suppose I wait 5 years, would the web configurator be unable to use the current cert (due to valid_to timeing) but also not replace it with a new one (since the one time it checks, it would find an existing cert but not realise it's out of date). Does this happen on any other certs? Should there be a cron job 24 hourly, to check for expired system-generated certs and make sure action is taken on them when they expire?
- It would be helpful if users have a way to view all certs and CAs in cert manager. As well as transparency, it would allow the user to manage/regenerate/revoke system-generated certs as easily as user-created certs.
- Last, is 2000 days a sensible lifetime for any "invisible-to-user" system certificate? Encryption can move on quite fast and perhaps 1 - 2 years is enough?
To help this along, I've added a function to return the key size of a cert, (https://github.com/pfsense/pfsense/pull/2994) as this is useful anyway and would be needed here.
Updated by 
Updated by