search

opnsense / core

OPNsense GUI, API and systems backend
https://opnsense.org/
BSD 2-Clause "Simplified" License
3.26k stars 726 forks source link

Using intermediate certificate issued by internal PKI #3048

Closed mahescho closed 3 years ago

mahescho commented 5 years ago

I've an internal PKI and created an intermediate certificate for my Opnsense with:

X509v3 Key Usage: Certificate Sign, CRL Sign Netscape Cert Type: SSL CA, S/MIME CA, Object Signing CA

and imported the root certificate without private key and the intermediate certificate with the private key. When I try to issue a server or client certificate using the intermediate certificate I get:

The following input errors were detected: openssl library returns: error:0E06D06C:configuration file routines:NCONF_get_string:no value openssl library returns: error:0E06D06C:configuration file routines:NCONF_get_string:no value openssl library returns: error:0E06D06C:configuration file routines:NCONF_get_string:no value openssl library returns: error:0E06D06C:configuration file routines:NCONF_get_string:no value openssl library returns: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

How to fix this?

OPNsense 18.7.9-amd64 FreeBSD 11.1-RELEASE-p17 OpenSSL 1.0.2q 20 Nov 2018

fichtner commented 5 years ago

Are you sure the private key matches the public key in the certificate? And if so does it work when you remove the public-only root certificate?

mahescho commented 5 years ago

My fault. For some reason data was not imported correctly. Suggestion: Check if certificate an key match at import.

But now I've a different issue. I used Opnsense to create a server certificate for the webUI. This time it succeeded but the browsers still tell me that it is invalid. I've checked lighthttpd config and the intermediate certificate is configured correctly. When I load the complete chain in XCA it tells me that XCA does not know the signer. The issuer hash matches the hash of the intermediate certificate. It makes no difference if the root certificate is present in Opnsense or not.

fichtner commented 5 years ago

I'll take this import key check bug part of the issue, but I can't look into the follow-up at the moment since I'm at work (not OPNsense-related), but please ping me again later this week.

mahescho commented 5 years ago

Found the problem. I've used my UCS (Univention Corporate Server) to sign my CSR. By default the openssl.cnf used for this sets "basicConstraints = critical, CA:FALSE" so despite my CSR sets "CA:TRUE" this got overridden while signing.

mahescho commented 5 years ago

Two more suggestions:

  1. When a certificate gets imported in "System: Trust: Authorities" check if "CA:TRUE" is set in the imported certificate.
  2. Only display certificates of type "server" in "System: Settings: Administration" at "SSL Certificate".

This will help to avoid miss configuration.

fichtner commented 3 years ago

I can do 2. but 1. is not possible since we need to be able to add self-signed certificates to the trust store for external SSL connections to succeed.

mahescho commented 3 years ago
  1. is more important, 2 is nice to have :)
fichtner commented 3 years ago

See https://github.com/opnsense/core/issues/3048#issuecomment-872157239 I cannot break the self-signed certificate use case.