Closed mahescho closed 3 years ago
Are you sure the private key matches the public key in the certificate? And if so does it work when you remove the public-only root certificate?
My fault. For some reason data was not imported correctly. Suggestion: Check if certificate an key match at import.
But now I've a different issue. I used Opnsense to create a server certificate for the webUI. This time it succeeded but the browsers still tell me that it is invalid. I've checked lighthttpd config and the intermediate certificate is configured correctly. When I load the complete chain in XCA it tells me that XCA does not know the signer. The issuer hash matches the hash of the intermediate certificate. It makes no difference if the root certificate is present in Opnsense or not.
I'll take this import key check bug part of the issue, but I can't look into the follow-up at the moment since I'm at work (not OPNsense-related), but please ping me again later this week.
Found the problem. I've used my UCS (Univention Corporate Server) to sign my CSR. By default the openssl.cnf used for this sets "basicConstraints = critical, CA:FALSE" so despite my CSR sets "CA:TRUE" this got overridden while signing.
Two more suggestions:
This will help to avoid miss configuration.
I can do 2. but 1. is not possible since we need to be able to add self-signed certificates to the trust store for external SSL connections to succeed.
See https://github.com/opnsense/core/issues/3048#issuecomment-872157239 I cannot break the self-signed certificate use case.
I've an internal PKI and created an intermediate certificate for my Opnsense with:
and imported the root certificate without private key and the intermediate certificate with the private key. When I try to issue a server or client certificate using the intermediate certificate I get:
How to fix this?
OPNsense 18.7.9-amd64 FreeBSD 11.1-RELEASE-p17 OpenSSL 1.0.2q 20 Nov 2018