Hi - I've provided a CSR and signed a certificate against the opnsense internal CA.
I would like to download the PKCS#12 file format file, however after clicking on download, nothing happens.
I've tried different browsers and computers, rebooted the firewall, but it just doesn't provide a prompt to save the file.
Same issue occurs when trying to download the private key.
Downloading the "Certificate" does work! But I need the private key :)
Any ideas why it's not working?
Cheers!
OPNsense does not have the private key.
- generate key on client system
- generate CSR matching the key
- submit CSR for signing
- download signed certificate
The CSR does not contain the key. But you must generate a key first to create a CSR, anyway. So you should have the key even before you submit and sign the CSR.
Thanks Patrick, so if I import the certificate to the client, I'm guessing I can export the PKCS#12 file from the client that issued the CSR.
Thanks for confirming. AI LLM's we're telling me to export it from the OPNsense firewall, I guess they're still not that good afterall!
Depending on what you mean by "import". ;-) A certificate and a key in PEM format are really just text files and if you have both on your client it is trivial to generate a PKCS#12 from them:
openssl pkcs12 -export -out mycertpluskey.pfx -inkey mykey.pem -in mycert.pem
I see, so the private key is created on the client, then the CSR is created from the private key, the CSR is signed by the OPNsense CA and then I can download the certificate, create the PKCS#12 file from the certificate and the private key on the client via openssl.
Thanks for clearing that up Patrick!
I'm guessing the download PKCS#12 and Private Key download options are used if you create an internal certificate from within OPNsense first?
Quote from: foss-johnny on August 19, 2025, 12:56:47 PMI'm guessing the download PKCS#12 and Private Key download options are used if you create an internal certificate from within OPNsense first?
Correct.
Quote from: Patrick M. Hausen on August 19, 2025, 01:10:01 PMQuote from: foss-johnny on August 19, 2025, 12:56:47 PMI'm guessing the download PKCS#12 and Private Key download options are used if you create an internal certificate from within OPNsense first?
Correct.
If you create a client certificate on opnsense and sign it against the opnsense internal CA, and select Key Location > "Download and do not save". Is there a way to apply an encrypted password to the file before it's saved?
Quote from: foss-johnny on August 20, 2025, 04:36:51 AMIf you create a client certificate on opnsense and sign it against the opnsense internal CA, and select Key Location > "Download and do not save". Is there a way to apply an encrypted password to the file before it's saved?
If you pick "Save on this firewall" instead and after issuing the certificate click on the download button to the right, you can pick PKCS#12 and enter a password.
If you want to only download it right away you need to apply encryption after the fact with e.g. openssl.
Quote from: Patrick M. Hausen on August 20, 2025, 10:34:36 AMQuote from: foss-johnny on August 20, 2025, 04:36:51 AMIf you create a client certificate on opnsense and sign it against the opnsense internal CA, and select Key Location > "Download and do not save". Is there a way to apply an encrypted password to the file before it's saved?
If you pick "Save on this firewall" instead and after issuing the certificate click on the download button to the right, you can pick PKCS#12 and enter a password.
If you want to only download it right away you need to apply encryption after the fact with e.g. openssl.
Next issue - I created the client certificate and selected "Save on this firewall", however...
After generating a client certificate within OPNsense that's signed against the OPNsense CA, and downloading the PKCS12 file and setting a simple password such as "password", when I try to open that on a client computer (macOS) it prompts for the password, but won't accept the password. Even if I download the PKCS12 file without setting a password, it prompts for the password, and when entering nothing, it won't accept and import to Keychain.
Different OpenSSL versions. Try OpenSSL from Homebrew or Macports, if they can open it at all. If yes, I do not quite remember the conversion steps necessary, but I remember vaguely that this had happened to me in the past, too.
Quote from: Patrick M. Hausen on August 20, 2025, 12:03:02 PMDifferent OpenSSL versions.
Indeed, macOS is running 3.5.1.1 and OPNsense is running 3.0.17.
Will try that shortly. Thanks!