SSL Include CA Certs
Option to have an internal or imported CA (such as an imported self-signed CA) included in SSL for verify peer for downloads, email notifications, DynDNS check ip service, etc. So we can seamlessly use self-signed cert on our servers.
#2 Updated by NOYB NOYB over 3 years ago
Kill Bill wrote:
Am I the only one who cannot make sense of the request? No, self-signed certs will never be seamless with browsers, or clients.
Please refrain from making false declarations about something that you admit to not understanding.
The request is not whether or not it is possible. I already know that it is possible. The request is for the feature/capability to be implemented.
#4 Updated by NOYB NOYB over 3 years ago
Kill Bill wrote:
Apparently we have a language problem here, so perhaps let's try again in a more simple way: WTH is "included in SSL" supposed to mean?
Much better. Now you are seeking to understand rather than just saying no out of hand.
Putting a CA of self-signed certs in the clients certificate store, such as trusted roots in Windows, or in the case of pfSense the CA bundle it uses, which is what we are talking about here, allows the self-signed certs to be trusted.
Currently we have to manually edit the CA bundle file to add our CA's.
Would like a feature/option added to the CA certs GUI to have pfSense include the CA in the bundle used by SSL.
#5 Updated by Chris Linstruth over 3 years ago
This looks like another redmine that should be a forum post.
Sending the self-signed CA along with the certificate when a browser connects to pfSense will do nothing to eliminate certificate errors on the connecting client. The CA will still have to be installed and trusted there.
All of that currently works fine.
If that is not what you are talking about you will have to be a lot more clear in describing what you are looking for.
#7 Updated by NOYB NOYB over 3 years ago
Chris Linstruth wrote:
Or are you talking about installing a CA in pfSense so connections it makes outbound can be trusted/verified when connecting to services that present certificates signed by that CA?
Yes. This is what is being requested. Can manually add the CA to the bundle file and it will work. But would like an option built into the CA certs GUI to include the CA so we don't have to manually add it to CA bundle.
#8 Updated by Ross Williams over 3 years ago
This is a duplicate of #4068. I am considering addressing this issue, as it affects our operations using pfSense on an internal network behind a HTTPS proxy. I'll post updates to that older issue if I begin work or make any forum posts.
Also, #6687 would appear to be resolved by (optionally?) trusting configured CA certs.