Project

General

Profile

Actions
Copy link

Bug #8033

closed

Certmanager import server certificate ignores purpose server

Added by Robert Sailer over 7 years ago. Updated over 7 years ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
10/31/2017
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.1
Affected Architecture:

Description

When importing a certificate generated with tinyca as server certificate (pem) the server setting gets ignored and in the Webpage is displayed Server:NO
This leads to the effect that no openvpn connections are working.

openssl x509 -purpose -in mycert.pem -noout -text reveals (relevant part only):
Certificate purposes:
SSL client : No
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
...
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
RZBServerCA Server Certificate

The public part of the certificate is attached

Files

myserver.pem (1.83 KB) myserver.pem Server certificate selfsigned CA public part Robert Sailer, 10/31/2017 04:01 AM
Actions
Copy link
 #1

Updated by Jim Pingle over 7 years ago

  • Status changed from New to Not a Bug

"Netscape Certificate Type"/nsCertType has been deprecated for quite some time as a supported certificate attribute (everywhere, not just pfSense).

A contemporary server certificate must have the "TLS Web Server Authentication"/serverAuth extended key usage (EKU) attribute, NOT nsCertType.

Actions
Copy link

Also available in: Atom PDF