I am trying to set up client certificate for automatic login into the opnsense GUI, one less daily hassle =)
The GUI mask is asking for the private key of this client certificate, which I am not willing to upload to sense and also should not be required, opnsense only need the public key.
Am I missing something?
Can you elaborate on what you're trying to accomplish? Automatic login to the UI how? Where are you adding a cert?
I am attempting to authenticate to the opnsense GUI using a certificate instead of a password. I hope it will require less keystrokes from my side (I understand it depends on browser implementation).
Here you can find some details on how client certificate authentication works:
https://medium.com/@sevcsik/authentication-using-https-client-certificates-3c9d270e8326
Under System >Access > Users, for each user there's a field called "User Certificates". I assumed this is intended for client certificate based authentication against the opnsense GUI. Did I misunderstand what this field is for?
Any reason to not just use a password manager?
What happens if you leave the private key blank? You'll note that the import screen isn't specific to just user certs.
If I leave the private key empty, I get an error telling me "The following input errors were detected: The field Key data is required."
I am hoping this is even faster than password manager.
Quote from: 9axqe on September 05, 2023, 03:18:08 PM
I am attempting to authenticate to the opnsense GUI using a certificate instead of a password. I hope it will require less keystrokes from my side (I understand it depends on browser implementation).
Here you can find some details on how client certificate authentication works:
https://medium.com/@sevcsik/authentication-using-https-client-certificates-3c9d270e8326
Under System >Access > Users, for each user there's a field called "User Certificates". I assumed this is intended for client certificate based authentication against the opnsense GUI. Did I misunderstand what this field is for?
Dunno what the intention for this is and can't check docs right now but as long as it has the X509v3 Extended Key Usage attribute: "TLS Web Client Authentication" then it can be used for that. To check you can issue:
# openssl x509 -text -in /path/to/certificate.crt -nooutQuote from: 9axqe on September 03, 2023, 12:13:32 PM
I am trying to set up client certificate for automatic login into the opnsense GUI, one less daily hassle =)
The GUI mask is asking for the private key of this client certificate, which I am not willing to upload to sense and also should not be required, opnsense only need the public key.
Am I missing something?
Maybe some step of that post. A quick scan and makes sense like "
Trying to get inTo use these certificates in our browser, we need to bundle them in PKCS#12 format. That will contain both the private key and the certificate, thus the browser can use it for encryption." The private key needs to be in play somehow.
The opnsense GUI only allows two text fields (no uploading of file), and the certificate must be in pem format, this is visible in the GUI.
The PKCS format is for the browser on my laptop, that is not a problem, my issue is with uploading the certificate to opnsense.
I have the certificate in question in pem format, I pasted it in the "user certificate" field, but there is no private key because the private key is meant to stay on my computer, not to be upload on the opnsense router, this is how asymmetric cryptography works: the private key stays on the machine which is authenticating itself, the public key is present on both sides.
Have a look at the attached screenshot of the opnsense GUI, maybe it will be clearer.
If this UI section requires the private key of the cert to be entered, then it is a client cert that is for. That is, for the system to use to identify itself to other systems. But you surely know this as you're telling how asymmetric cryptography works so it must be a trick question :)
I get to the screenshot attached above when I click on the little + next to "user certificate", under System > Access > User. See the screenshot.
Hence I assumed this is intended for uploading a user certificate, a certificate that allows the user to authenticate itself against opnsense. Not the other way around. Maybe I misunderstood this though, are you saying this "user certificate" is intended for opnsense to authenticate against my laptop? Isn't that what the opnsense GUI certificate is for?
When client certificates are used to authenticate, the server side usually does not have the client certificate, but only the CA certificate that is being used to sign the accepted client certificates.
Thus, it is very unlikely that a "client certificate" which can be uploaded can be used to authenticate "against" (i.e. server side) - only to authenticate "with" (i.e. client side). For the latter purposes, the key is obviously needed,
AFAIK, there is no means to authenticate a user by client certificates in OpnSense.
You still might want to lock a single cert to a particular user. And we hopefully all agree that the server side requesting authentication never needs the private key :D
Quote from: Patrick M. Hausen on September 05, 2023, 08:33:46 PM
You still might want to lock a single cert to a particular user. And we hopefully all agree that the server side requesting authentication never needs the private key :D
Correct, but in practice, this is usually done by using some attributes of the certificate (e.g. CN) in order to be able to renew the certificate later on.
And yes, neither does a server require the client nor the CA certificate key. That is exactly why this specific client certificate is highly unlikely to represent something that serves as means for server authentication of clients.
Quote from: Patrick M. Hausen on September 05, 2023, 08:33:46 PM
You still might want to lock a single cert to a particular user. And we hopefully all agree that the server side requesting authentication never needs the private key :D
Most definitively.
Quote from: Patrick M. Hausen on September 05, 2023, 08:33:46 PM
You still might want to lock a single cert to a particular user.
I'm not sure I'm following, what do I want to lock a whole certificate (incl. private key) to a single user for? What is the use case behind it?
If you use certificates for client authentication you might want to make sure Joe can only use Joe's certificate and Bill only Bill's.
Ah yes, for sure. But Joe's private key doesn't leave Joe's computer, so Bill can keep dreaming...
ok, so: I feel like there's a GUI bug here. I can see I can upload CA cert _without_ private key to opnsense, I think it should be the same for user's HTTPS client certificate, it should not be limited to CA's certificates.
Where are the certificates stored in opnsense, maybe I can try to add it (without private key) via CLI and see if it works.
Bill can use his own private key and log in as Joe if you only check validity and not match the CN to a particular user.
But if Bill uses his own private key, then it's not Joe's certificate, then there's no need to lock Joe's cert to Joe's user, no?
I mean, I don't mind locking certs to users, but I'm just saying it's maybe superfluous from a security point of view since each user can only present his own cert / private key... But it's probably definitely useful for administration, otherwise it can become chaos to manage...
ok, since I wasn't ok uploading the private key of that specific cert to the opnsense, I looked at it under a different angle. I'm still stuck, but I'm a couple of steps further at leaast.
1. I created a CA on opnsense, issued a certificate (when issuing I can choose NOT to store the private key on opnsense and just download it).
2. I assigned this new certificate to my user under System > Access > User
3. I converted the downloaded private key and certificate from two PEM files into a single pfx file using 'openssl pkcs12 -export -inkey private-key.pem -in certificate.pem -out client-cert.pfx'
4. I imported this cert into firefox
Now I'm trying to understand how I can use it to authenticate against opnsense. There's no specific prompt when loading the opnsense login page, just the usual username/pwd field.
That is my point: You can't. Because of the purpose of the certificate that can be added to a user account is NOT to authenticate AGAINST, but to authenticate that user WITH.
As I tried to illustrate already, if you want to authenticate a user with a client certificate, you have to have a few separate things to achieve on the server side (i.e. OpnSense):
1. Configure the web server to enable client certificates in the first place in the web server. If this is the case, your browser will most likely prompt you to choose from your client certificates.
2. Configure the web server to verify if the presented client certificate is valid in the sense that it has been issued by a trusted CA. Thus, the web server has to include that CA in its certificate store. If it is a certificate issued by one of the "usual suspects" (i.e. official CAs), then fine.
3. (And this is where the problem lies) You have to check the content of the certificate in your web application, that is, some contained attribute in order to check against your user database. Usually, this is an e-mail adress in the CN of the certificate, NOT the full certificate itself as you imply. If that user is in the database, the usual username/password prompt can then be skipped.
AFAIK, none of these mechanisms have been implemented in OpnSense (yet).
Quote from: meyergru on September 07, 2023, 12:28:58 PM
the purpose of the certificate that can be added to a user account is NOT to authenticate AGAINST, but to authenticate that user WITH.
I think here lies my misunderstanding, I do not understand what you mean here: authenticate against what? With what? Opnsense? What does "authenticate with opnsense" mean here?
Could you maybe make a sample scenario of what such a user cert can be used for?
OpenVPN if I am not mistaken.
That does make sense, thanks!
This is documented here:
https://docs.opnsense.org/manual/how-tos/sslvpn_instance_roadwarrior.html
Quote from: 9axqe on September 07, 2023, 03:21:30 PM
Quote from: meyergru on September 07, 2023, 12:28:58 PM
the purpose of the certificate that can be added to a user account is NOT to authenticate AGAINST, but to authenticate that user WITH.
I think here lies my misunderstanding, I do not understand what you mean here: authenticate against what? With what? Opnsense? What does "authenticate with opnsense" mean here?
Could you maybe make a sample scenario of what such a user cert can be used for?
"Authenticate a user
against" the OpnSense GUI via a client certificate (OpnSense server side to accept such certificates is not implemented and also, would not have to know the specific certificate, only its CA and some attribute)
vs.
"authenticate an OpnSense user
with" a client certificate to another party, like a public OpenVPN server (OpnSense in client role on behalf of a user by using his credentials / certificate).
It is explained in the manual: https://docs.opnsense.org/manual/certificates.html. Apart from OpenVPN, which uses certificates per default, there are other examples given. However, when you look it up, there are no configuration options in either the web proxy or the captive portal. The authentication methods in the manual for those scenarios do not include certificates.
But I think this beyond the point: We were discussing if (and if so: how) you could authenticate against the OpnSense GUI by using client certificates (which you cannot) and not what other purposes these certificates might be useful for.
I think this point is very valid.
The public certificate can be used to check that remote side is exactly the expected peer.
Currently it is possible to create certificate without private key, when certificated is create via GUI: just set "Private key location" to "Download and do not save".
At the same time it is not possible to import existing certificate without private key (the "workaround" is to use space as a private key: certificate will be imported, reported as "with private key", but could be used only as public certificate).