Hi,
I set up a package mirror for OPNsense with a SSL/TLS certificate signed by a private Certificate Authority (Corp. environment, multiple firewall clusters).
After lots of googling, the only way to add our private CA I've found, was to append our Root- and Intermediate-Certificate to [/usr/local]/etc/ssl/cert.pem which gets overwritten everytime the ca_root_nss package is updated or OPNsense is rebooted. Is this really the only way to add a private CA-Cert in FreeBSD?
Adding the certs to System::Trust::Authorities doesn't help. <-- It does help and sovles the issue
The way described by (0) doesn't work for the pkg command (it works when using the openssl command though).
(0) https://blog.socruel.nu/freebsd/how-to-install-private-CA-on-freebsd.html
sorry. whats wrong with " System::Trust::Authorities"?
Quotegets overwritten everytime the ca_root_nss package is updated or OPNsense is rebooted
afaik opnsense gets description and <crt>s from config, adds it to ca_root_nss content and copy result to cert.pem
Quote from: Fright on September 23, 2020, 05:49:43 PM
whats wrong with " System::Trust::Authorities"?
I put my certificates (Root CA and Issuing Intermediate CA) there but the update function still didn't accept my mirror's certificate.
I'll try that again.
Edit:
Feeling kinda dumb right now ... Just added our certificates again, and it worked ... Thanks for the hint!
Hi,
I think this one was fixed in 19.1.7 a while back:
o system: cleanly rewrite CA root files and add local trusted CAs as well
Cheers,
Franco