Feature #9842
closedAdd CA/certificate renewal function
100%
Description
Currently there is no way to renew an existing certificate, you have to recreate it.
Add a function to renew a certificate, with the following features:
- Keep the current key, or optionally generate a new key
- Reuse the existing values for DN, SAN, digest, key type, lifetime, etc
- Deprecated subject items can be ignored (e.g. email)
- Force adding a SAN if it was missing
- Optionally enforce some other changes like limiting the max lifetime on server certificates, or forcing a new key/hash if the old one is insecure (too small key, sha1 or older, etc), see #9825
Should be a button next to the certificate which opens a confirmation screen with the options (make new key, enforce stronger security, etc)
A CLI script that renews certs (found by descr or refid) would also be nice.
If it's not much more work, add CA renewal as well, but that may need moved to its own issue as it will have its own set of issues.
To me, I have backend code ready to handle the renewal, but needs more work + gui/frontend parts.
Updated by Jim Pingle about 5 years ago
- Subject changed from Add certificate renewal function to Add CA/certificate renewal function
- Status changed from New to In Progress
Second guessing the removal of deprecated subject items, since if the subject and key stay the same, then clients would still consider the CA valid when renewed without having to reissue a copy of the certificate. So the code should preserve those as well as maintain an identical subject order.
Also with some care taken about determining entry parameters, the same function can work for CA and Certificates. Backend code is nearly complete, frontend code is still a work in progress.
Updated by Jim Pingle about 5 years ago
- % Done changed from 50 to 90
I just committed the GUI code for this plus some more backend functions. There are still a couple items left, but not much. It is usable for most purposes in this state.
Updated by Jim Pingle about 5 years ago
- Status changed from In Progress to Feedback
- % Done changed from 90 to 100
This should be complete for now. I didn't add a CLI script, as it didn't seem necessary yet. On a related note, the GUI now also has visual indications that a CA/certificate is expiring soon (or is expired), and will notify the user when a certificate is due to expire. See #7332
Updated by Viktor Gurov about 5 years ago
Jim Pingle wrote:
This should be complete for now. I didn't add a CLI script, as it didn't seem necessary yet. On a related note, the GUI now also has visual indications that a CA/certificate is expiring soon (or is expired), and will notify the user when a certificate is due to expire. See #7332
If cert ECDSA key <384 (i.e. prime256v1) and "Reuse Key" flag is unset, "Error renewing Certificate":
Warning: openssl_pkey_new(): private key length is too short; it needs to be at least 384 bits, not 256 in /etc/inc/certs.inc on line 1667
also failed if ECDSA key manually created with '-param_enc explicit' option, see https://redmine.pfsense.org/issues/9745
and as a feature, Strict Security "Minimum Key" field can be added: RSA 2048 and ECDSA prime256v1.
Updated by Viktor Gurov about 5 years ago
https://github.com/pfsense/pfsense/pull/4122
I think that we need to decide which EC is minimum.
prime256v1 or secp384r1?
https://apps.nsa.gov/iaarchive/programs/iad-initiatives/cnsa-suite.cfm uses P-384
Updated by Jim Pingle about 5 years ago
- Status changed from Feedback to Pull Request Review
Updated by Renato Botelho about 5 years ago
- Status changed from Pull Request Review to Feedback
PR has been merged. Thanks!
Updated by Viktor Gurov about 5 years ago
Renato Botelho wrote:
PR has been merged. Thanks!
Tested on pfSense 2.5.0.a.20191217.2217
Resolved
Updated by Jim Pingle about 5 years ago
- Status changed from Feedback to Resolved