Feature #7383
closedsystem_certmanager.php?act=new: Add new select option to sign a CSR
Added by Anonymous over 7 years ago. Updated 9 months ago.
0%
Description
Certificate Manager -> Certificates -> Add New: There would be a new select option 'Sign a Certificate Signing Request'. This would allow the user to paste a CSR, then pick a CA from the pfSense configuration to sign that CSR.
THe signed certificate would be presented on-screen to allow it to be copied to the clipboard, or downloaded to the user's workstation.
Updated by Anonymous over 7 years ago
- Status changed from New to Feedback
Functionality has been added as requested
https://github.com/pfsense/pfsense/commit/2052d3e2ae3acf5564a460dad91966a6d77b3b51
Updated by John Murphy over 7 years ago
Current Base System 2.4.0.b.20170314.0021
Option not displayed in Cert. Manager GUI. Checked CAs, Certificates, and Certificate Revocation. The option doesn't appear in any of the method drop downs.
Updated by Anonymous over 7 years ago
Use a build from after the time the change was made. Your build was made at 0021 hrs, the new code was added at 1300 hrs. You should see it in the next snapshot.
Updated by James Snell over 7 years ago
Build 2.4.0.b.20170314.2306
The option "Sign a Certificate Signing Request" is now present.
Created a signing request against the local CA.
The request was listed. Selecting it from the list did not import the signing request data or key into the textboxes and it wasn't clear where to obtain the CSR Key in the required format.
I downloaded and copied the text from the requests .key file (which may not be correct) and received an OpenSSL error :-
openssl library returns: error:0906D06C:PEM routines:PEM_read_bio:no start line
Not sure if this is user error on my part or a code issue.
Updated by John Murphy over 7 years ago
Current Base System 2.4.0.b.20170315.0313
Option not available. What am I missing? Isn't this a later snapshot? Maybe that would be a good feature - the ability to select from the 20 most current snapshots if you're on the development train.
Updated by Jim Pingle over 7 years ago
- Status changed from Feedback to Assigned
I also get "openssl library returns: error:0906D06C:PEM routines:PEM_read_bio:no start line" when attempting to sign an existing CSR or one pasted in to import.
Updated by Anonymous over 7 years ago
A fix for the Openssl library error is on the way.
Select Method->Sign a Certificate Signing Request
Use the "CSR to sign" control to select an existing CSR, or select "New" to paste in a new one.
If creating a new one:
Paste the PEM formatted CSR into the CSR Data textbox
The Key data field is optional and can be used to associate a private key with the newly signed cert in the pfSense configuration
Click "Save"
Updated by James Snell over 7 years ago
Build 2.4.0.b.20170323.1221
I was able to create a signing request and sign it via the UI.
The CSR remained in the certificates list after being signed and I was able to sign it again. If this is correct behaviour then we can close this issue.
Updated by Larry Westfall over 7 years ago
Build 2.4.0.b.20170527.2111
External generated CSR failed with
The following input errors were detected:
•This signing request does not appear to be valid.
Also there does not seem to be a way to choose between a user and server cert.
Below is the request:
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC3zCCAccCAQAwajELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk9IMRIwEAYDVQQH
EwlBc2h0YWJ1bGExDTALBgNVBAoTBGVubXMxDjAMBgNVBAsTBWxvY2FsMRswGQYD
VQQDExJwYXIubG9jYWwubmVtcy5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQC+P7zU7IvastpPHCJAonIpH3vV47TGPphCV+bE4p/y8yp4VdeZwZAU
QlWXxuLqCZoWKyXM06SSczQU+rzJGM7o4QPXOCQk9HjXeV84pSdTQDysUtu3TYDP
8dhrZrwg3Snk+mK0JAKqLNomSJFZ+zdBMnOdQEc3ISJLj5cxS311ZF64sf7kzm/7
CVBl2xKfhO2GhGIr504oz3PU9IPwyknyDzqYacwKZVtiwvkBoLJGxlT4Fbgggd6N
FSv1CkTykfe/3rlgP2KldH3VMW5poXwampkUmAI2atyba9L5LpYvGWweUajPsJ45
85c8q9OcTsQDAw2uDhW9OwzxTARHCOfBAgMBAAGgMDAuBgkqhkiG9w0BCQ4xITAf
MB0GA1UdDgQWBBSB2y2Xd3QFWhyltjG30quElHq+TDANBgkqhkiG9w0BAQsFAAOC
AQEAQZvdw/KOwfj850qnNKEqTr7+tPXCl0LPD23YguILu0mfO21SBK/3jswPdhWe
vPmnaW8F5kNxwhzJaE3s2DbhZg3kWjc481mfSPQfeGIfbT6aH4YgefAWE/IQXBPw
2pHpwkLfrYgYYZO4cz2qmHgafC1TdczwsXyNCDvssBeeMOUWV6pmSyoE9GYg3v8b
4tya/cG8WUh1Kbj1jTMu6i8DgAM8E3z8Ivoz6eWGfX0XcFcwCIK/0ZJ075PO4pDX
2DDsrfa4VvQdOIR4T0jumEqilFWIcKpccGVx9JYR/yWSI4zktQrBMnp7tKAiDZgO
MupcAuDwFpeEQIDRpbBZkuOFJQ==
-----END NEW CERTIFICATE REQUEST-----
Updated by Joseph McGuirl over 7 years ago
Larry Westfall wrote:
Build 2.4.0.b.20170527.2111
External generated CSR failed with
The following input errors were detected:
•This signing request does not appear to be valid.Also there does not seem to be a way to choose between a user and server cert.
Below is the request:
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC3zCCAccCAQAwajELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk9IMRIwEAYDVQQH
EwlBc2h0YWJ1bGExDTALBgNVBAoTBGVubXMxDjAMBgNVBAsTBWxvY2FsMRswGQYD
VQQDExJwYXIubG9jYWwubmVtcy5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQC+P7zU7IvastpPHCJAonIpH3vV47TGPphCV+bE4p/y8yp4VdeZwZAU
QlWXxuLqCZoWKyXM06SSczQU+rzJGM7o4QPXOCQk9HjXeV84pSdTQDysUtu3TYDP
8dhrZrwg3Snk+mK0JAKqLNomSJFZ+zdBMnOdQEc3ISJLj5cxS311ZF64sf7kzm/7
CVBl2xKfhO2GhGIr504oz3PU9IPwyknyDzqYacwKZVtiwvkBoLJGxlT4Fbgggd6N
FSv1CkTykfe/3rlgP2KldH3VMW5poXwampkUmAI2atyba9L5LpYvGWweUajPsJ45
85c8q9OcTsQDAw2uDhW9OwzxTARHCOfBAgMBAAGgMDAuBgkqhkiG9w0BCQ4xITAf
MB0GA1UdDgQWBBSB2y2Xd3QFWhyltjG30quElHq+TDANBgkqhkiG9w0BAQsFAAOC
AQEAQZvdw/KOwfj850qnNKEqTr7+tPXCl0LPD23YguILu0mfO21SBK/3jswPdhWe
vPmnaW8F5kNxwhzJaE3s2DbhZg3kWjc481mfSPQfeGIfbT6aH4YgefAWE/IQXBPw
2pHpwkLfrYgYYZO4cz2qmHgafC1TdczwsXyNCDvssBeeMOUWV6pmSyoE9GYg3v8b
4tya/cG8WUh1Kbj1jTMu6i8DgAM8E3z8Ivoz6eWGfX0XcFcwCIK/0ZJ075PO4pDX
2DDsrfa4VvQdOIR4T0jumEqilFWIcKpccGVx9JYR/yWSI4zktQrBMnp7tKAiDZgO
MupcAuDwFpeEQIDRpbBZkuOFJQ==
-----END NEW CERTIFICATE REQUEST-----
Has there been any progress on this?
Updated by Jim Pingle over 7 years ago
Larry Westfall wrote:
Below is the request:
-----BEGIN NEW CERTIFICATE REQUEST-----
That's the problem, it has "NEW" in it. At least the ones generated on pfSense only have "BEGIN CERTIFICATE REQUEST". I added another check to allow your variant to pass and it works when I try it.
Updated by Jim Pingle over 7 years ago
Also, as of 0c82b8c2a77bba6b2b3ab42a880c0e478ebc70f6 I have changed how this operates slightly, there were a couple other bugs lingering and missing functionality I added in. It should be solid on the next round of snapshots.