Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - tsaG

Pages1
#1
22.1 Legacy Series / Re: Exported Certificates with wrong Common Names?
July 23, 2022, 07:11:13 PM
Yes, the X509v3 Basic Constraints CA value states it is a Cert, as it should.

I am quite sure this is a bug. I created the certificates in pfsense the same way I did on the OPNsense and it worked. The CN is now as given in the GUI and not the CA.
However, I now stay with PFsense since I installed it and it just works (as well as dyndns)
#2
22.1 Legacy Series / Exported Certificates with wrong Common Names?
July 21, 2022, 11:59:14 PM
Hi,

I recently exported Certificates generated by OPNSense for my OpenVPN connection. To use the network for servers, I wanted to supply them with static IPs using "ifconfig-push" as client override.

Hower, when checking the Certificates for the common Name, I realized that the Common Name for the Certificate is the same as the Authorities (CA). This means all the Certificates have the same common name, rendering the iconfig solution impossible.

In the Opnsense WEbGUI, the common Name is correct. Reading the actual Cert however, the CNs are identical. In this case both are "internal-sslvpn-ca", which is the CN of the CA

WebGUI:
Code Select
emailAddress=info@XXXX, ST=HB, O=XXXX, L=HB, CN=nextcloud_VPN-cert, C=DE

The output of openssl x509 -noout -text -in nextcloud_VPN-cert.ovpn
Code Select

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: C=DE, ST=HB, L=HB, O=XXXX/emailAddress=XXXX, CN=internal-sslvpn-ca
        Validity
            Not Before: Jul 19 15:17:05 2022 GMT
            Not After : Oct 21 15:17:05 2024 GMT
        Subject: C=DE, ST=HB, L=HB, O=XXXX/emailAddress=XXXX, CN=internal-sslvpn-ca
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)

Is this a bug?
#3
Virtual private networks / Have RootCA with KeyUsage extension (?)
July 20, 2022, 09:57:43 PM
Hey!I switched from WireGuard to OpenVPN. However Truenas Scale doesn't want to eat it. When I input the OpenVPN connection Details to use Truenas as a OpenVPN Client, I get the message "Root CA must have KeyUsage extension set." I exported the Client certificates (including CA, CERT and Private Key) from OPNSense in the OpenVPN Client export section. Any ideas how to fix that? As I see, there Is no specific option to add this.

I was following the Roadwarrior OpenVPN Tutorial: https://docs.opnsense.org/manual/how-tos/sslvpn_client.html

Pages1