Using intermediate certificate issued by internal PKI #3048
Comments
|
Are you sure the private key matches the public key in the certificate? And if so does it work when you remove the public-only root certificate? |
|
My fault. For some reason data was not imported correctly. Suggestion: Check if certificate an key match at import. But now I've a different issue. I used Opnsense to create a server certificate for the webUI. This time it succeeded but the browsers still tell me that it is invalid. I've checked lighthttpd config and the intermediate certificate is configured correctly. When I load the complete chain in XCA it tells me that XCA does not know the signer. The issuer hash matches the hash of the intermediate certificate. It makes no difference if the root certificate is present in Opnsense or not. |
|
I'll take this import key check bug part of the issue, but I can't look into the follow-up at the moment since I'm at work (not OPNsense-related), but please ping me again later this week. |
|
Found the problem. I've used my UCS (Univention Corporate Server) to sign my CSR. By default the openssl.cnf used for this sets "basicConstraints = critical, CA:FALSE" so despite my CSR sets "CA:TRUE" this got overridden while signing. |
|
Two more suggestions:
This will help to avoid miss configuration. |
|
I can do 2. but 1. is not possible since we need to be able to add self-signed certificates to the trust store for external SSL connections to succeed. |
|
|
See #3048 (comment) I cannot break the self-signed certificate use case. |
I've an internal PKI and created an intermediate certificate for my Opnsense with:
and imported the root certificate without private key and the intermediate certificate with the private key. When I try to issue a server or client certificate using the intermediate certificate I get:
How to fix this?
OPNsense 18.7.9-amd64
FreeBSD 11.1-RELEASE-p17
OpenSSL 1.0.2q 20 Nov 2018
The text was updated successfully, but these errors were encountered: