Feature #8634
closed
Enhance the certificate manager to support private keys with passphrases
0%
Description
pfSense permits certificate generation for use by OpenVPN clients, amongst others. At present, pfSense doesn't permit the creation of certificates that require a passphrase to access the private key. In previous versions, roughly <=2.3, one could work around this by generating the certificate in other systems using the same CA keys and certs, and importing the resulting user certificate into pfSense. This is no longer possible, as pfSense rejects any imported certificates with private key passphrases.
In the current state, pfSense doesn't provide a way to create or import a certificate with a passphrase on the private key. OpenVPN clients are often road warriors on laptops or phone/tablet users, and loss of their client devices is common. In these situations, a stolen device has immediate access to the VPN network because the certificates have no protection, which is unacceptable for most enterprises or secure sites. Therefore, I would like to request that the certificate manager in pfSense be enhanced to support generating and using certificates that private keys with passphrases.
Updated by Brian Martin almost 6 years ago
pfSense permits certificate generation for use by OpenVPN clients, amongst others. At present, pfSense doesn't permit the creation of certificates that require a passphrase to access the private key. In previous versions, roughly <=2.3, one could work around this by generating the certificate in other systems using the same CA keys and certs, and importing the resulting user certificate into pfSense. This is no longer possible, as pfSense rejects any imported certificates with private key passphrases.
In the current state, pfSense doesn't provide a way to create or import a certificate with a passphrase on the private key. OpenVPN clients are often road warriors on laptops or phone/tablet users, and loss of their client devices is common. In these situations, a stolen device has immediate access to the VPN network because the certificates have no protection, which is unacceptable for most enterprises or secure sites. Therefore, I would like to request that the certificate manager in pfSense be enhanced to support generating and using certificates that have private keys with passphrases.
Updated by