I try to setup web interface auth via client certificates.
I created a CA and a user certificate. But when I download the exported cert and try to add it to the keychain on my mac it errors out. Checking the file using gopenssl also shows an error:
openssl pkcs12 -info -in cert.p12
004C26F401000000:error:0680007B:asn1 encoding routines:ASN1_get_object:header too long:crypto/asn1/asn1_lib.c:105:
Any ideas?
Apply the patch or wait for 24.7.1
https://github.com/opnsense/core/issues/7703 (https://github.com/opnsense/core/issues/7703)
opnsense-patch b3aa910
ah interesting... of course what a timing to try this out. Thanks!
Question in genral: I sit possible to use a cert to login to the webinterface in general? It's hard to find some infos about that topic and chatgpt seems to hallucinate an answer
Not sure if lighttpd supports this. Note that these types of features are not certificate-based, they are CA-based so any valid certificate will yield you a login with matching CN from that CA.
Cheers,
Franco
I think it does but seems I misundesrtood the intention for the client certificates in the UI then
Quote from: franco on August 05, 2024, 09:58:31 AM
any valid certificate will yield you a login with matching CN from that CA.
Cheers,
Franco
Not necessarily, I think the key is the
require part here - https://redmine.lighttpd.net/projects/lighttpd/wiki/Mod_auth
auth.require = ( "" =>
(
"method" => "extern",
"realm" => "certificate",
"require" => "user=agent007|user=agent008"
)
)
Ah, thanks. Missed that part. It appears to hook into the system trust store then?
Cheers,
Franco
PS: this lighttpd stuff is pluggable: https://github.com/opnsense/core/blob/master/src/etc/lighttpd_webgui/conf.d/README