pfSense Gold Subscription

Author Topic: Don't forget handy Cert Manger for all your Cert Needs ;)  (Read 189 times)

0 Members and 1 Guest are viewing this topic.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14840
  • Karma: +1377/-202
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Don't forget handy Cert Manger for all your Cert Needs ;)
« on: December 15, 2017, 03:20:35 pm »
Don't forget that pfsense has very handy easy to use Cert Manager that allow for creation of your own CA's and signing of CSRs and Creation of certs for use in all your other devices.

I have been doing this for years to be honest.. Web interfaces for applications I run both locally and on vps all over the globe.. Where I do not need public trusted certs I just use CA I created in pfsense that I trust.

Everyone is all about the letsencrypt free certs these days..  But unless you have lots of users or unknown people accessing whatever it a Cert from your own CA that only you trust is quite often more than enough..

And with the ability to add Sans to CSRs this comes in really handy for very appliances and such that ssl cert feature sets are limited.  For example recently got a new sg300-28 switch.. And while I love the feature set of the switch - cisco and implementing ssl is very painfull if you ask me..  There are a few great threads around the net about importing certs into these lines of switches dealing with creating your certs with openssl, etc.

But just wanted to post up that such stuff can just be done with the Cert Manager in pfsense..  And very simple.. Using my sg300 as example.. Using the gui just create the csr.. But they do not allow to put in more than CN.. Well as we all know many current browsers will balk at you if the cert does not have san as well..  So you just create the CSR on the switch..   Using whatever CN you want.. Then in pfsense sign the csr remembering to add SAN for CN, and whatever else you want.. So I always add the IP as well as the FQDN I use.. if you might hit that switch using multiple IPs - but them all in.

Then just import the cert after you signed it - and the sans will be available.

Other advantage to this over say the ACME stuff is you can use rfc1918 address and non public domains..  And you can set the cert good for 10 years so you don't have to dick with it again like you do with ACME..

See attach nice green lock with both name and ip.. Any questions on using cert manager in pfsense to manage certs for your devices just ask.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline Grimson

  • Full Member
  • ***
  • Posts: 265
  • Karma: +36/-3
    • View Profile
Re: Don't forget handy Cert Manger for all your Cert Needs ;)
« Reply #1 on: December 15, 2017, 03:40:12 pm »
Now if pfSense would be smart enough to add CAs from the Cert Mananger to the CA list* in it's own OS, so that FreeBSD can use them too, it would really be good.

*/usr/local/share/certs/ca-root-nss.crt

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14840
  • Karma: +1377/-202
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Don't forget handy Cert Manger for all your Cert Needs ;)
« Reply #2 on: December 21, 2017, 04:37:56 am »
For all those unifi controller users.. Same thing for adding the SAN to cert your using for unifi controller..

sudo su -
# cd <unifi_base>
# on Windows, "%USERPROFILE%/Ubiquiti Unifi"
cd /usr/lib/unifi

# create new certificate (with csr)
java -jar lib/ace.jar new_cert <hostname> <company> <city> <state> <country>

# your CSR can be found at /var/lib/unifi
# - unifi_certificate.csr.der
# - unifi_certificate.csr.pem

# have this CSR signed by a CA, you'll get a few certificates back...
# copy the signed certificate(s) to <unifi_base>

# import the signed certificate and other intermediate certificates
java -jar lib/ace.jar import_cert <signed_cert> [<other_intermediate_root_certs>...]

Just add SANs you want on your cert.. Before you sign the csr on pfsense.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)