Project

General

Profile

Actions

Feature #9842

closed

Add CA/certificate renewal function

Added by Jim Pingle about 5 years ago. Updated about 5 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Certificates
Target version:
Start date:
10/22/2019
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:

Description

Currently there is no way to renew an existing certificate, you have to recreate it.

Add a function to renew a certificate, with the following features:

  • Keep the current key, or optionally generate a new key
  • Reuse the existing values for DN, SAN, digest, key type, lifetime, etc
  • Deprecated subject items can be ignored (e.g. email)
  • Force adding a SAN if it was missing
  • Optionally enforce some other changes like limiting the max lifetime on server certificates, or forcing a new key/hash if the old one is insecure (too small key, sha1 or older, etc), see #9825

Should be a button next to the certificate which opens a confirmation screen with the options (make new key, enforce stronger security, etc)

A CLI script that renews certs (found by descr or refid) would also be nice.

If it's not much more work, add CA renewal as well, but that may need moved to its own issue as it will have its own set of issues.

To me, I have backend code ready to handle the renewal, but needs more work + gui/frontend parts.

Actions #1

Updated by Jim Pingle about 5 years ago

  • Subject changed from Add certificate renewal function to Add CA/certificate renewal function
  • Status changed from New to In Progress

Second guessing the removal of deprecated subject items, since if the subject and key stay the same, then clients would still consider the CA valid when renewed without having to reissue a copy of the certificate. So the code should preserve those as well as maintain an identical subject order.

Also with some care taken about determining entry parameters, the same function can work for CA and Certificates. Backend code is nearly complete, frontend code is still a work in progress.

Actions #2

Updated by Jim Pingle about 5 years ago

  • % Done changed from 0 to 50
Actions #3

Updated by Jim Pingle about 5 years ago

  • % Done changed from 50 to 90

I just committed the GUI code for this plus some more backend functions. There are still a couple items left, but not much. It is usable for most purposes in this state.

Actions #4

Updated by Jim Pingle about 5 years ago

  • Status changed from In Progress to Feedback
  • % Done changed from 90 to 100

This should be complete for now. I didn't add a CLI script, as it didn't seem necessary yet. On a related note, the GUI now also has visual indications that a CA/certificate is expiring soon (or is expired), and will notify the user when a certificate is due to expire. See #7332

Actions #5

Updated by Viktor Gurov about 5 years ago

Jim Pingle wrote:

This should be complete for now. I didn't add a CLI script, as it didn't seem necessary yet. On a related note, the GUI now also has visual indications that a CA/certificate is expiring soon (or is expired), and will notify the user when a certificate is due to expire. See #7332

If cert ECDSA key <384 (i.e. prime256v1) and "Reuse Key" flag is unset, "Error renewing Certificate":

Warning: openssl_pkey_new(): private key length is too short; it needs to be at least 384 bits, not 256 in /etc/inc/certs.inc on line 1667 

also failed if ECDSA key manually created with '-param_enc explicit' option, see https://redmine.pfsense.org/issues/9745

and as a feature, Strict Security "Minimum Key" field can be added: RSA 2048 and ECDSA prime256v1.

Actions #6

Updated by Viktor Gurov about 5 years ago

https://github.com/pfsense/pfsense/pull/4122

I think that we need to decide which EC is minimum.
prime256v1 or secp384r1?

https://apps.nsa.gov/iaarchive/programs/iad-initiatives/cnsa-suite.cfm uses P-384

Actions #7

Updated by Jim Pingle about 5 years ago

  • Status changed from Feedback to Pull Request Review
Actions #8

Updated by Renato Botelho about 5 years ago

  • Status changed from Pull Request Review to Feedback

PR has been merged. Thanks!

Actions #9

Updated by Viktor Gurov about 5 years ago

Renato Botelho wrote:

PR has been merged. Thanks!

Tested on pfSense 2.5.0.a.20191217.2217

Resolved

Actions #10

Updated by Jim Pingle about 5 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF