pfSense Support Subscription

Author Topic: Certificate manager and generating public keys  (Read 304 times)

0 Members and 1 Guest are viewing this topic.

Offline stats2909

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Re: Certificate manager and generating public keys
« Reply #15 on: December 28, 2017, 01:50:37 pm »
hmmmmm so its green when i use the IP address, not when i use the hostname....


I feel like I'm making progress!

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9565
  • Karma: +1084/-309
    • View Profile
Re: Certificate manager and generating public keys
« Reply #16 on: December 28, 2017, 02:16:38 pm »
Did you put the hostname in the CN? Or in a SAN?

The browser needs the CN and/or a SAN to match what it is told to connect to or it will throw an error.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14750
  • Karma: +1370/-202
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Certificate manager and generating public keys
« Reply #17 on: December 28, 2017, 02:34:50 pm »
The switch prob stupid and just put in whatever IP it has for the CN.. If it does not allow you to edit those - then when you sign the CSR in pfsense the the fqdn you want to use or multiples etc.. as FQDN sans and IP SANS for any IPs you might use to access the switch.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline stats2909

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Re: Certificate manager and generating public keys
« Reply #18 on: December 28, 2017, 02:43:11 pm »
 ;D  finally!!!

That only took the entire day.... as you thought I'd not put all DNS options into the certificate.


So.... I deleted the lot, from pfsense and the switch and started all over again.  Then it all worked fine, even the switch played nicely for some unknown reason.


So I'll quit while I'm ahead and grab a beer!

Thanks to you both for helping me!  Derelict, you're a star!


If anyone else has the same issues - this is how I did ( well how Derelict instructed me :) )


1. use pfsense cert manager to create a new sever certificate.... make sure to include the FQDN, hostname, IP address and any other way you'll access the web gui in the certificate

2.

Taken from Derelects post....

Diagnostics > Edit File

Put /tmp/switch.key in the path and paste the private key in the main text window, with the begin and end lines included, and save.

Then Diagnostics > Command Prompt

Execute this shell command:

openssl rsa -in /tmp/switch.key -RSAPublicKey_out

Try using that output (don't copy that first "writing" line) in the public key field.


3. then save the p12 file from pfsense somwhere onto your machine - im not sure it matters where.  Then in Terminal   I navigated to the folder I'd saved that p12 file in and ran the following command openssl pkcs12 -in pfsensefile.p12 -nocerts -out private.key
.  I hit enter on the first password/import prompt and entered my own password in the second

4.  in the same terminal window run the following openssl rsa -in private.key -out privateRSA.key   use the password you entered in step 3.

Then..... 

5. go into the switch and in the Import Certificates section paste the certificate data from the pfsense .cert file into the certificate box.  Put the output of step 2 into the Public key box and the output of step 4 found in the privateRSA.key file into the Private key box

6. Hit apply and cross your fingers!


Thanks again to Derelict and johnpoz, couldn't have done it without you!!!


Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14750
  • Karma: +1370/-202
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Certificate manager and generating public keys
« Reply #19 on: December 28, 2017, 02:45:09 pm »
Signing the CSR would of been much easier... That is for sure...
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9565
  • Karma: +1084/-309
    • View Profile
Re: Certificate manager and generating public keys
« Reply #20 on: December 28, 2017, 02:47:22 pm »
Yeah, and there's an export private key so not sure why you dorked with extracting the key from the pkcs12 bundle but glad it's working. :)
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline stats2909

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Re: Certificate manager and generating public keys
« Reply #21 on: December 28, 2017, 02:50:38 pm »
I was halfway though that when I noticed that accessing the gui via the IP gave a green url bar.

AS I couldn't really tell if I'd signed things properly - the switch was hardly forthcoming with info I checked the certificate the browser was seeing.

It turned out to be the one I'd created at the outset of the process... so felt I'd give that one final go starting fresh before going down the signing route. 

(which i think would have been easiest all along lol)

Thanks again :)

Offline stats2909

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Re: Certificate manager and generating public keys
« Reply #22 on: December 28, 2017, 02:51:23 pm »
Yeah, and there's an export private key so not sure why you dorked with extracting the key from the pkcs12 bundle but glad it's working. :)

Pass.... Something about seeing the wood for the trees comes to mind, that and not really knowing what I'm doing!  ::)
« Last Edit: December 28, 2017, 02:55:15 pm by stats2909 »