Project

General

Profile

Actions

Bug #8569

closed

Certificates generated using deprecated extensions

Added by Justin Coffman over 6 years ago. Updated over 6 years ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
06/12/2018
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All

Description

Any certificate generated in the certificate management interface is generated with a Netscape Cert Type extension indicating the purpose of the certificate. This extension is old and its use has been deprecated for a long time. In fact, the nsCertType extension shows up as an unknown extension as of OpenSSL v1.1. OpenVPN has also deprecated the use of this extension quite some time ago, and is soon to remove the ns-cert-type option from OpenVPN entirely.

[[https://community.openvpn.net/openvpn/wiki/DeprecatedOptions#a--ns-cert-type]]

The correct method is to set the X.509v3 Key Usage and X.509v3 Extended Key Usage fields correctly.

Accordingly, the web UI for pfSense should stop looking for the nsCertType extension to determine/display if the certificate is a client or server certificate, and set/follow the KU/EKU extensions. In OpenVPN, "remote-cert-tls" has replaced "ns-cert-type"; this checks the KU/EKU fields appropriately.

X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Server
            Netscape Comment: 
                OpenSSL Generated Server Certificate
            X509v3 Subject Key Identifier: 
                AB:77:8C:16:BA:39:51:49:14:79:F0:33:C5:A6:C6:62:4F:31:22:8D
            X509v3 Authority Key Identifier: 
                keyid:FA:D8:C3:33:05:F7:23:F7:F6:B4:19:E1:F4:0F:27:3B:66:BF:A1:FC
                DirName:/CN=Test CA/C=US
                serial:5B:1E:C6:B5:0A:5C:54:10
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, 1.3.6.1.5.5.8.2.2
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
Actions #1

Updated by Jim Pingle over 6 years ago

  • Status changed from New to Not a Bug

We've been over this before when it comes up, see #6877 for example.

It doesn't hurt to have it there, the GUI checks for the other EKUs already, and we can't always control what version of OpenVPN a client uses in the wild. Some people are stuck using older embedded devices like VoIP phones with outdated OpenVPN implementations, for example.

There isn't a compelling reason to remove it.

Actions

Also available in: Atom PDF