OPNsense Forum

Archive => 21.7 Legacy Series => Topic started by: XeroX on September 25, 2021, 03:24:50 pm

Title: Certificate renewal
Post by: XeroX on September 25, 2021, 03:24:50 pm

Hello,
is there any way to renew certificates that have been issued?

I use this as "light" CA, as other systems are to comlicated.

Cheers

Title: Re: Certificate renewal
Post by: bartjsmit on September 25, 2021, 11:21:02 pm

You can create a certificate signing request from an existing certificate:

openssl x509 -x509toreq -in old.crt -signkey private.key -out new.csr

Then sign this with System, Trust, Certificates, click + and select 'Sign a Certificate Signing Request'

Bart...

Title: Re: Certificate renewal
Post by: XeroX on October 06, 2021, 03:41:24 pm

I've to dig this up again. This feels unconfortable when the private key was generated by opnsense and I don't know where the certificates are on the FS.

Thanks for the tipp bartjsmit, but this doesn't work with a SubCA.


Is there a way to renew a certificate previously signed within OPNSense via CLI?

Title: Re: Certificate renewal
Post by: Fright on October 06, 2021, 07:11:27 pm

hi
Could you describe in more detail the initial data and the final goal?

Title: Re: Certificate renewal
Post by: XeroX on October 09, 2021, 12:00:54 pm

I do have the following certificates issued by OPNSense.

CA
|_ Inspection CA -> SSL Inspection Web Proxy
|_ Signing CA
   |_ Several Certificates for Web Servers

Now some certificates for webservers are expired and the inspection CA is expired. How to get these resigned with the same private key or if only possible to resign without private key?

I thought there is a better way than deleting and issue again.

Title: Re: Certificate renewal
Post by: Fright on October 09, 2021, 12:33:36 pm

ah
you can try to export "old" certs .crt and .key files from System: Trust: Authorities (for CA cert) or System: Trust: Certificates (for server's certs).
then do what @bartjsmit advised.
what didn't work for CA?
did you specify the keyUsage?

Title: Re: Certificate renewal
Post by: XeroX on October 09, 2021, 03:08:22 pm

Quote from: Fright on October 09, 2021, 12:33:36 pm

ah
you can try to export "old" certs .crt and .key files from System: Trust: Authorities (for CA cert) or System: Trust: Certificates (for server's certs).
then do what @bartjsmit advised.
what didn't work for CA?
did you specify the keyUsage?

Thank you. No everything works with the CA, however I thought a simple renew button would have been nice as long as the private keys are managed by OPNSense.

Title: Re: Certificate renewal
Post by: Fright on October 09, 2021, 04:01:20 pm

sorry, didn't guess that this is a hint of adding a new feature  :D

Title: Re: Certificate renewal
Post by: XeroX on October 09, 2021, 05:13:49 pm

Quote from: Fright on October 09, 2021, 04:01:20 pm

sorry, didn't guess that this is a hint of adding a new feature  :D

Kind of. Actually the question was more like "am I blind", "is there an easy way" or "can I achieve this via cmdline" to renew certificates.

However thanks for help!