Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Internal CA's created in OPNSense have no KeyUsage Extension #5912

Closed
goodomens42 opened this issue Jul 29, 2022 · 2 comments · Fixed by #6017
Closed

Internal CA's created in OPNSense have no KeyUsage Extension #5912

goodomens42 opened this issue Jul 29, 2022 · 2 comments · Fixed by #6017
Assignees
@kulikov-a
Labels
cleanup Low impact changes
Milestone
23.1

Comments

@goodomens42
Copy link

Description

When creating a new CA in "System -> Trust -> Authorities" using "Create an internal Certificate Authority", the resulting CA certificate has no KeyUsage Extension. It should have one of type "critical" with values "Certificate Sign, CRL Sign" as otherwise third party software might not accept the CA as valid.

To Reproduce

Steps to reproduce the behavior:

  1. Go to "System -> Trust -> Authorities"
  2. Click "Create an internal Certificate Authority" and fill in the form
  3. Export the generated CA certificate
  4. Examine it with a suitable certificate viewer

Expected behavior

See Description

Environment

OPNsense 22.1.10-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1q 5 Jul 2022
@kulikov-a
Copy link
Member

kulikov-a commented Aug 6, 2022
edited
Loading

Hi
could you please give an example when such a cert is not considered valid? I thought that this extension is optional (although it is marked critical if present) and is intended to limit the scope of the key (if there is no need to limit the scope, then the extension may be absent)
https://www.rfc-editor.org/rfc/rfc5280.html#section-4.2.1.3

@kulikov-a
Copy link
Member

kulikov-a commented Sep 10, 2022
edited
Loading

@fichtner @AdSchellevis @goodomens42 @barzog
I must apologize if my previous post misled anyone, after taking the time to read the slightly ambiguous text of the rfc5280 again and digging around a bit, I agree with the users that the text of the standard is rightly treated keyUsage Extension as necessary for (root) CA's that used to validate other certs or crls
Conforming CAs MUST include this extension in certificates that contain public keys that are used to validate digital signatures on other public key certificates or CRLs. When present, conforming CAs SHOULD mark this extension as critical
a possible fix is mentioned at #5629
although I think it would be more correct with:
keyUsage = critical, cRLSign, digitalSignature, keyCertSign

sorry!

some links
https://www.truenas.com/community/threads/openvpn-ca-from-opnsense-root-ca-must-have-keyusage-extension-set.102686/
https://kb.vmware.com/s/article/74756
https://www.ibm.com/docs/en/external-auth-server/2.4.2?topic=extensions-keyusage-extension

@kulikov-a kulikov-a mentioned this issue Sep 12, 2022
Merged
@fichtner fichtner added the cleanup Low impact changes label Sep 12, 2022
@fichtner fichtner added this to the 23.1 milestone Sep 12, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kulikov-a kulikov-a

Labels
cleanup Low impact changes
Milestone
23.1
Development

Successfully merging a pull request may close this issue.

OpenSSL: add keyUsage extension in CA config kulikov-a/core
3 participants
@fichtner @kulikov-a @goodomens42