OpenVPN certificate manager uses incorrect key length
Submitted to me via e-mail from "warhol" when the DB was having issues:
Problem: Cert Manager only produces 1024bit certs,
no matter what key size is selected.
As discussed on #pfsense, a short bug report.
Last checked on: Snapshot from Sun Sep 19 01:32:51 UTC 2010 (amd64), full inst
Also checked on: earlier snapshots on embedded i386
How to reproduce:
Go to System -> Cert Manager, CAs tab, add a new CA, chose "internal CA".
Chose a key length other than 1024 (2048 is even pre-selected).
(Same game when creating an internal certificate on the Certificates tab.)
Then download the produced cert and check its details.
I use certtool from the GnuTLS project on linux:
cat test4096.crt | certtool -i
and find the following lines every time:
Subject Public Key Algorithm: RSA Modulus (bits 1024):
I had produced 2048bit certs at work before with xca and tinyca,
and confirmed they show up as "bits 2048" in certtool accordingly.
So assume the Cert Manager on pfsense just ignored the key length setting.
#1 Updated by Jim Pingle over 9 years ago
This can also be verified by using standard OpenSSL commands:
$ openssl rsa -noout -text -in CA4096.key Private-Key: (1024 bit) [...]
$ openssl x509 -noout -text -in CA4096.crt [...] RSA Public Key: (1024 bit) Modulus (1024 bit):
We do appear to be passing the correct parameters to openssl_csr_new() and openssl_csr_sign(), and casting with (int) as recommended in the PHP docs (http://php.net/manual/en/function.openssl-csr-new.php), but what we get back is always 1024. It will need some more experimentation to narrow down.