Feature #7242
closedSSL Include CA Certs
0%
Description
Option to have an internal or imported CA (such as an imported self-signed CA) included in SSL for verify peer for downloads, email notifications, DynDNS check ip service, etc. So we can seamlessly use self-signed cert on our servers.
Updated by Kill Bill almost 8 years ago
Am I the only one who cannot make sense of the request? No, self-signed certs will never be seamless with browsers, or clients.
Updated by NOYB NOYB almost 8 years ago
Kill Bill wrote:
Am I the only one who cannot make sense of the request? No, self-signed certs will never be seamless with browsers, or clients.
Please refrain from making false declarations about something that you admit to not understanding.
The request is not whether or not it is possible. I already know that it is possible. The request is for the feature/capability to be implemented.
Updated by Kill Bill almost 8 years ago
Apparently we have a language problem here, so perhaps let's try again in a more simple way: WTH is "included in SSL" supposed to mean?
Updated by NOYB NOYB almost 8 years ago
Kill Bill wrote:
Apparently we have a language problem here, so perhaps let's try again in a more simple way: WTH is "included in SSL" supposed to mean?
Much better. Now you are seeking to understand rather than just saying no out of hand.
Putting a CA of self-signed certs in the clients certificate store, such as trusted roots in Windows, or in the case of pfSense the CA bundle it uses, which is what we are talking about here, allows the self-signed certs to be trusted.
Currently we have to manually edit the CA bundle file to add our CA's.
Would like a feature/option added to the CA certs GUI to have pfSense include the CA in the bundle used by SSL.
Updated by Chris Linstruth almost 8 years ago
This looks like another redmine that should be a forum post.
Sending the self-signed CA along with the certificate when a browser connects to pfSense will do nothing to eliminate certificate errors on the connecting client. The CA will still have to be installed and trusted there.
All of that currently works fine.
If that is not what you are talking about you will have to be a lot more clear in describing what you are looking for.
Updated by Chris Linstruth almost 8 years ago
Or are you talking about installing a CA in pfSense so connections it makes outbound can be trusted/verified when connecting to services that present certificates signed by that CA?
Updated by NOYB NOYB almost 8 years ago
Chris Linstruth wrote:
Or are you talking about installing a CA in pfSense so connections it makes outbound can be trusted/verified when connecting to services that present certificates signed by that CA?
Yes. This is what is being requested. Can manually add the CA to the bundle file and it will work. But would like an option built into the CA certs GUI to include the CA so we don't have to manually add it to CA bundle.
Updated by Ross Williams almost 8 years ago
This is a duplicate of #4068. I am considering addressing this issue, as it affects our operations using pfSense on an internal network behind a HTTPS proxy. I'll post updates to that older issue if I begin work or make any forum posts.
Also, #6687 would appear to be resolved by (optionally?) trusting configured CA certs.
Updated by Kill Bill almost 8 years ago
Yeah, it's indeed a duplicate of Bug #4068 which at least describes the issue in a comprehensible way.