OPNsense Forum
English Forums => General Discussion => Topic started by: treadnaught on June 29, 2023, 04:42:19 am
-
Good evening!
Firstly, just wanted to say that I am really appreciative of all the work done by the dev team and community members that brought OPNsense to where it is now. Thank you all for what you do.
Problem set:
I'm trying to set up an intermediate Certificate Authority to issue certificates for OpenVPN clients for remote access that I'm going to be implementing soon, but I've already got an external CA for the beginning of my chain of trust and do not wish to generate a new internal root CA.
The road warrior documentation covers setting up an internal root CA and then generating an intermediate CA based off of that local root CA, but I would like to set up an intermediate CA that is signed by my internal root CA so I won't have to import another root CA certificate to trust.
Searching the forums previously has not yielded anything of this nature that I could find so far.
Whenever I go to System > Trust > Authorities, I have my root CA configured as the top of the chain, but when attempting to create an intermediate CA, it does not give me the option to generate a CSR to take to my root CA for issuing. Is there a way to generate a CSR somewhere in the web UI that I'm not finding? Or is there a list of requirements for the CSR that I can use to generate the request on the OPNsense firewall?
Thank you in advance for your time,
Treadnaught
P.S. Perhaps this could be turned into a feature request sometime down the road for anyone else as crazy as I am.
-
Creating a CSR for a CA is not supported at this point. If you want to request a feature you can do so via https://github.com/opnsense/core/issues/new?assignees=&labels=&projects=&template=feature_request.md&title=
But you can always create a CSR manually and import the resulting CA.
Cheers,
Franco
-
Franco,
Thanks for your quick reply. I will definitely put in a feature request on the github page once I get the Intermediate CA set up on my OPNsense device.
For the Intermediate CA request, are there any specific OIDs that I need to include for the firewall to accept the CA cert for use? Only reason I ask is that the web server certificate required the Netscape SSL Server OID before it would work on the web server.
Thank you in advance for your time,
Treadnaught
-
It depends on where you want to sign the CA. Some CA's tend to force their "best practice" OIDs to the point where the requested settings are discarded. If you have your own CA somewhere it's a bit more tricky as you would need to be careful which values are set.
In both cases you want a "modern" set of OIDs for a (web) server certificate and that's it.
Not a specific answer as that is a bit in flux over time and I don't know this stuff by heart.
Cheers,
Franco