Bug #905

OpenVPN certificate manager uses incorrect key length

Added by Jim Pingle over 9 years ago. Updated over 9 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Affected Version:
Affected Architecture:


Submitted to me via e-mail from "warhol" when the DB was having issues:

Problem: Cert Manager only produces 1024bit certs,
no matter what key size is selected.

As discussed on #pfsense, a short bug report.
Last checked on: Snapshot from Sun Sep 19 01:32:51 UTC 2010 (amd64), full inst
Also checked on: earlier snapshots on embedded i386

How to reproduce:
Go to System -> Cert Manager, CAs tab, add a new CA, chose "internal CA".
Chose a key length other than 1024 (2048 is even pre-selected).
(Same game when creating an internal certificate on the Certificates tab.)

Then download the produced cert and check its details.
I use certtool from the GnuTLS project on linux:

cat test4096.crt | certtool -i

and find the following lines every time:

        Subject Public Key Algorithm: RSA
                Modulus (bits 1024):

I had produced 2048bit certs at work before with xca and tinyca,
and confirmed they show up as "bits 2048" in certtool accordingly.
So assume the Cert Manager on pfsense just ignored the key length setting.

Associated revisions

Revision 838e27bf (diff)
Added by Jim Pingle over 9 years ago

Pass args to openssl_pkey_new() so it gets the key length too. Fixes #905


#1 Updated by Jim Pingle over 9 years ago

This can also be verified by using standard OpenSSL commands:

$  openssl rsa -noout -text -in CA4096.key
Private-Key: (1024 bit)
$ openssl x509 -noout -text -in CA4096.crt 
RSA Public Key: (1024 bit)
    Modulus (1024 bit):

We do appear to be passing the correct parameters to openssl_csr_new() and openssl_csr_sign(), and casting with (int) as recommended in the PHP docs (, but what we get back is always 1024. It will need some more experimentation to narrow down.

#2 Updated by Jim Pingle over 9 years ago

Looks like the key length wasn't also being passed to openssl_pkey_new. I'll be committing a fix shortly.

#3 Updated by Jim Pingle over 9 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#4 Updated by Andreas Bochem over 9 years ago

Confirm certs are now created with the correct key length as chosen in the gui.
Tested on Snapshot from Fri Oct 1 07:58:19 UTC 2010, amd64, full install.

#5 Updated by Jim Pingle over 9 years ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF