Messages

I apologize on the previous post, since I did make some mistakes. I was looking into the permutations on what seems to be the behaviour. You replied while I was making corrections to the previous post. Anyways, I had followed the steps you outlined. I used secp384 r1 and sha 256 throughout with 365 days validity. I did add a common name for my final certificate.

The only difference being I used the local machine store rather than the user store to for the certificates. I am viewing the certificate directly in windows rather than using the browser and installing it on the router web interface, but I don't think these should make any difference.UPDATE: It does make a difference especially with pfsense certs.

I did notice some differences between the certs I created in both pfsense and opnsense GUIs and hence the whole reason for my OP

• For Pfsense certs, I imported the root cert in the Windows local machine store in root certificates section. I found out that the final certificate does not validate without importing the intermediate CA as well.
  UPDATE: Google chrome does validate against the root certificate but windows certificate viewer does not validate the server cert against the root certificate. It requires the Intermediate certificate to be installed in the certificate store.
  Additionally, if I let automatically let windows choose, it installs the root certificate in the intermediate certificates store, I don't know why thats so.


• I followed same steps with opnsense. The opnsense cert validates itself with the root certificate installed. The intermediate certificate never shows itself as a part of the certificate chain, even if I install the intermediate certificate.
  Update: Google Chrome shows the whole certificate chain as you said, but weirdly windows certificate viewer does not

@netnut With your clarifications, I do have an understanding of what's going on. I don't understand the real reason behind these differences but it seems to be so. I am newbie in understanding certificate implementation. I studied these back in college and that was a long time ago.

First of all thanks for taking the time out for this , I've been banging my head around on this weird thing for a few days now.
So I created all my certificates through the wizard and used the GUI for everything and I made-up those certs to show the chain issue. The actual certs have all the information you suggested except the email and the SAN part for root certificate. That I will correct when I recreate them. I have attached some images from another attempt. It's the same problem that these certificates have no chain.

I had import my intermediate certificate in the root store for the server certificate to be validated. I followed the same steps on my pfsense box gui with no such issue in cert chain.

So this is test-ca

Code Select Expand

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: C = CA, ST = TEST, L = TEST, O = Test, emailAddress = Test@gmail.com, CN = test-ca
        Validity
            Not Before: Apr  3 23:19:45 2024 GMT
            Not After : Apr  3 23:19:45 2025 GMT
        Subject: C = CA, ST = TEST, L = TEST, O = Test, emailAddress = Test@gmail.com, CN = test-ca
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub:
                    04:19:10:8b:69:9b:6e:2c:e6:50:14:8e:65:c9:a9:
                    d2:a1:27:3e:ee:90:6b:ef:ea:96:62:5c:6a:08:e4:
                    a5:ed:ba:bc:cc:5b:93:f4:35:dc:01:6a:3d:48:94:
                    ea:dc:73:ce:a1:90:10:05:14:d4:ac:d3:69:c9:e4:
                    a5:8f:91:37:ae:d5:a0:e7:24:f4:04:05:ff:1e:03:
                    9c:4b:f0:11:1d:f0:9a:f1:c0:c5:b4:73:7e:2a:db:
                    31:ad:f4:42:d2:d1:35
                ASN1 OID: secp384r1
                NIST CURVE: P-384
        X509v3 extensions:
            Netscape Comment:
                OPNsense Generated Certificate Authority
            X509v3 Subject Key Identifier:
                52:29:10:B0:B7:16:67:C3:C4:44:49:82:3F:30:4D:C2:BB:BA:E4:84
            X509v3 Authority Key Identifier:
                52:29:10:B0:B7:16:67:C3:C4:44:49:82:3F:30:4D:C2:BB:BA:E4:84
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
    Signature Algorithm: ecdsa-with-SHA256
    Signature Value:
        30:65:02:30:64:6b:58:b0:14:77:2d:9c:66:23:5e:7c:58:bd:
        22:04:b7:e1:96:9a:65:79:18:8b:46:66:8f:b8:74:e0:1b:e7:
        f4:89:aa:50:82:03:0a:f5:83:78:c3:39:d3:e4:8b:56:02:31:
        00:d1:47:0f:42:e1:6c:95:40:3e:2d:65:bd:14:04:04:b9:cb:
        b2:60:2f:5e:f8:a0:fe:1f:88:28:e7:85:77:bb:eb:f9:48:60:
        a2:e7:b5:8e:c2:2e:7b:20:cd:c0:a8:ec:4f
-----BEGIN CERTIFICATE-----
MIICoDCCAiagAwIBAgIBADAKBggqhkjOPQQDAjBrMQswCQYDVQQGEwJDQTENMAsG
A1UECAwEVEVTVDENMAsGA1UEBwwEVEVTVDENMAsGA1UECgwEVGVzdDEdMBsGCSqG
SIb3DQEJARYOVGVzdEBnbWFpbC5jb20xEDAOBgNVBAMMB3Rlc3QtY2EwHhcNMjQw
NDAzMjMxOTQ1WhcNMjUwNDAzMjMxOTQ1WjBrMQswCQYDVQQGEwJDQTENMAsGA1UE
CAwEVEVTVDENMAsGA1UEBwwEVEVTVDENMAsGA1UECgwEVGVzdDEdMBsGCSqGSIb3
DQEJARYOVGVzdEBnbWFpbC5jb20xEDAOBgNVBAMMB3Rlc3QtY2EwdjAQBgcqhkjO
PQIBBgUrgQQAIgNiAAQZEItpm24s5lAUjmXJqdKhJz7ukGvv6pZiXGoI5KXturzM
W5P0NdwBaj1IlOrcc86hkBAFFNSs02nJ5KWPkTeu1aDnJPQEBf8eA5xL8BEd8Jrx
wMW0c34q2zGt9ELS0TWjgZ0wgZowNwYJYIZIAYb4QgENBCoWKE9QTnNlbnNlIEdl
bmVyYXRlZCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFFIpELC3FmfD
xERJgj8wTcK7uuSEMB8GA1UdIwQYMBaAFFIpELC3FmfDxERJgj8wTcK7uuSEMA8G
A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA2gAMGUC
MGRrWLAUdy2cZiNefFi9IgS34ZaaZXkYi0Zmj7h04Bvn9ImqUIIDCvWDeMM50+SL
VgIxANFHD0LhbJVAPi1lvRQEBLnLsmAvXvig/h+IKOeFd7vr+Uhgoue1jsIueyDN
wKjsTw==
-----END CERTIFICATE-----

Intermediate CA

Code Select Expand

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: C = CA, ST = TEST, L = TEST, O = Test, emailAddress = Test@gmail.com, CN = test-ca
        Validity
            Not Before: Apr  3 23:20:18 2024 GMT
            Not After : Dec 24 23:20:18 2024 GMT
        Subject: C = CA, ST = TEST, L = TEST, O = Test, emailAddress = Test@gmail.com, CN = Test-ca-inter
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub:
                    04:19:10:8b:69:9b:6e:2c:e6:50:14:8e:65:c9:a9:
                    d2:a1:27:3e:ee:90:6b:ef:ea:96:62:5c:6a:08:e4:
                    a5:ed:ba:bc:cc:5b:93:f4:35:dc:01:6a:3d:48:94:
                    ea:dc:73:ce:a1:90:10:05:14:d4:ac:d3:69:c9:e4:
                    a5:8f:91:37:ae:d5:a0:e7:24:f4:04:05:ff:1e:03:
                    9c:4b:f0:11:1d:f0:9a:f1:c0:c5:b4:73:7e:2a:db:
                    31:ad:f4:42:d2:d1:35
                ASN1 OID: secp384r1
                NIST CURVE: P-384
        X509v3 extensions:
            Netscape Comment:
                OPNsense Generated Certificate Authority
            X509v3 Subject Key Identifier:
                52:29:10:B0:B7:16:67:C3:C4:44:49:82:3F:30:4D:C2:BB:BA:E4:84
            X509v3 Authority Key Identifier:
                52:29:10:B0:B7:16:67:C3:C4:44:49:82:3F:30:4D:C2:BB:BA:E4:84
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
    Signature Algorithm: ecdsa-with-SHA256
    Signature Value:
        30:65:02:31:00:b4:31:71:cb:d6:cc:57:62:67:49:13:5f:a4:
        f1:76:4b:ee:a5:dc:e7:c2:8f:47:97:cf:0b:33:4f:90:ed:66:
        a7:b5:29:55:31:d7:df:b6:98:0c:59:1e:09:40:19:dd:d9:02:
        30:2a:0a:ee:dc:ec:55:81:f0:ee:7a:b6:a5:9d:5e:d6:a3:9e:
        d4:94:6f:d6:cb:ab:15:70:a0:b6:54:8a:45:b8:f9:69:2c:fd:
        5b:01:2b:16:f5:16:e2:ed:dc:c5:8e:f4:87
-----BEGIN CERTIFICATE-----
MIICpjCCAiygAwIBAgIBATAKBggqhkjOPQQDAjBrMQswCQYDVQQGEwJDQTENMAsG
A1UECAwEVEVTVDENMAsGA1UEBwwEVEVTVDENMAsGA1UECgwEVGVzdDEdMBsGCSqG
SIb3DQEJARYOVGVzdEBnbWFpbC5jb20xEDAOBgNVBAMMB3Rlc3QtY2EwHhcNMjQw
NDAzMjMyMDE4WhcNMjQxMjI0MjMyMDE4WjBxMQswCQYDVQQGEwJDQTENMAsGA1UE
CAwEVEVTVDENMAsGA1UEBwwEVEVTVDENMAsGA1UECgwEVGVzdDEdMBsGCSqGSIb3
DQEJARYOVGVzdEBnbWFpbC5jb20xFjAUBgNVBAMMDVRlc3QtY2EtaW50ZXIwdjAQ
BgcqhkjOPQIBBgUrgQQAIgNiAAQZEItpm24s5lAUjmXJqdKhJz7ukGvv6pZiXGoI
5KXturzMW5P0NdwBaj1IlOrcc86hkBAFFNSs02nJ5KWPkTeu1aDnJPQEBf8eA5xL
8BEd8JrxwMW0c34q2zGt9ELS0TWjgZ0wgZowNwYJYIZIAYb4QgENBCoWKE9QTnNl
bnNlIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFFIp
ELC3FmfDxERJgj8wTcK7uuSEMB8GA1UdIwQYMBaAFFIpELC3FmfDxERJgj8wTcK7
uuSEMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMC
A2gAMGUCMQC0MXHL1sxXYmdJE1+k8XZL7qXc58KPR5fPCzNPkO1mp7UpVTHX37aY
DFkeCUAZ3dkCMCoK7tzsVYHw7nq2pZ1e1qOe1JRv1surFXCgtlSKRbj5aSz9WwEr
FvUW4u3cxY70hw==
-----END CERTIFICATE-----

The Certificate

Code Select Expand

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: C = CA, ST = TEST, L = TEST, O = Test, emailAddress = Test@gmail.com, CN = Test-ca-inter
        Validity
            Not Before: Apr  3 23:21:02 2024 GMT
            Not After : Apr  3 23:21:02 2025 GMT
        Subject: C = CA, ST = TEST, L = TEST, O = Test, emailAddress = Test@gmail.com, CN = test-cert
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub:
                    04:33:d9:49:c6:0b:fd:1d:91:d3:59:5b:40:5e:06:
                    e2:66:d5:aa:f9:91:31:89:37:93:49:6e:36:17:9f:
                    d4:75:0d:60:1a:30:57:cd:90:56:2d:88:aa:df:08:
                    85:d2:29:6b:4c:88:34:d2:c0:32:18:fd:9f:ec:d7:
                    e0:4a:34:83:80:59:f8:ca:2a:9b:b8:9b:5c:c9:a5:
                    66:94:fc:37:9c:04:41:ef:c9:ee:89:93:02:2d:d9:
                    38:72:25:03:f0:15:21
                ASN1 OID: secp384r1
                NIST CURVE: P-384
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Server
            Netscape Comment:
                OPNsense Generated Server Certificate
            X509v3 Subject Key Identifier:
                91:78:17:C4:6C:A3:F0:A6:E9:04:8F:B8:2A:2A:54:FA:A9:08:F7:9B
            X509v3 Authority Key Identifier:
                keyid:52:29:10:B0:B7:16:67:C3:C4:44:49:82:3F:30:4D:C2:BB:BA:E4:84
                DirName:/C=CA/ST=TEST/L=TEST/O=Test/emailAddress=Test@gmail.com/CN=test-ca
                serial:01
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, 1.3.6.1.5.5.8.2.2
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
    Signature Algorithm: ecdsa-with-SHA256
    Signature Value:
        30:65:02:31:00:fd:67:a2:f4:d4:4b:15:79:47:96:20:2f:eb:
        2d:72:83:a3:74:ef:e2:f2:4c:fd:bc:aa:72:a0:87:5a:be:b0:
        3c:20:ce:f4:f5:bf:ca:ef:35:01:4f:78:1a:3a:08:a5:4f:02:
        30:36:b3:8a:17:9c:0b:65:0c:30:8a:47:5f:20:be:50:35:c6:
        ef:52:9c:cb:f3:11:4f:f1:9e:a8:6d:32:40:53:98:34:1e:7e:
        b7:6c:cd:67:7d:d3:13:c5:02:b0:d4:1f:fa
-----BEGIN CERTIFICATE-----
MIIDRzCCAs2gAwIBAgIBATAKBggqhkjOPQQDAjBxMQswCQYDVQQGEwJDQTENMAsG
A1UECAwEVEVTVDENMAsGA1UEBwwEVEVTVDENMAsGA1UECgwEVGVzdDEdMBsGCSqG
SIb3DQEJARYOVGVzdEBnbWFpbC5jb20xFjAUBgNVBAMMDVRlc3QtY2EtaW50ZXIw
HhcNMjQwNDAzMjMyMTAyWhcNMjUwNDAzMjMyMTAyWjBtMQswCQYDVQQGEwJDQTEN
MAsGA1UECAwEVEVTVDENMAsGA1UEBwwEVEVTVDENMAsGA1UECgwEVGVzdDEdMBsG
CSqGSIb3DQEJARYOVGVzdEBnbWFpbC5jb20xEjAQBgNVBAMMCXRlc3QtY2VydDB2
MBAGByqGSM49AgEGBSuBBAAiA2IABDPZScYL/R2R01lbQF4G4mbVqvmRMYk3k0lu
Nhef1HUNYBowV82QVi2Iqt8IhdIpa0yINNLAMhj9n+zX4Eo0g4BZ+Moqm7ibXMml
ZpT8N5wEQe/J7omTAi3ZOHIlA/AVIaOCATswggE3MAkGA1UdEwQCMAAwEQYJYIZI
AYb4QgEBBAQDAgZAMDQGCWCGSAGG+EIBDQQnFiVPUE5zZW5zZSBHZW5lcmF0ZWQg
U2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBSReBfEbKPwpukEj7gqKlT6qQj3
mzCBlQYDVR0jBIGNMIGKgBRSKRCwtxZnw8RESYI/ME3Cu7rkhKFvpG0wazELMAkG
A1UEBhMCQ0ExDTALBgNVBAgMBFRFU1QxDTALBgNVBAcMBFRFU1QxDTALBgNVBAoM
BFRlc3QxHTAbBgkqhkiG9w0BCQEWDlRlc3RAZ21haWwuY29tMRAwDgYDVQQDDAd0
ZXN0LWNhggEBMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQgCAjALBgNVHQ8E
BAMCBaAwCgYIKoZIzj0EAwIDaAAwZQIxAP1novTUSxV5R5YgL+stcoOjdO/i8kz9
vKpyoIdavrA8IM709b/K7zUBT3gaOgilTwIwNrOKF5wLZQwwikdfIL5QNcbvUpzL
8xFP8Z6obTJAU5g0Hn63bM1nfdMTxQKw1B/6
-----END CERTIFICATE-----

I made sure of importing the root ca and intermediate ca in the correct location.PFsense certs have no issues, it's only the opnsense certs. This is what the Certification Path for the final server certificates that I created from the Intermediate CA shows in windows :

Pfsense Cert:

Root-CA
->Intermediate-CA
--->Certificate

OpnSense Cert

Intermediate-CA
->Certificate

Windows always throws an error that the intermediate certificate cannot be validated against the root certificate, since the root-ca is not part of the certification path in the OPNSense cert

I am trying to create a certificate authority for internal services in opnsense. I created a root CA and then an intermediate CA. When I tried to install the certificates in the windows trust store, intermediate certificate won't authenticate against the root CA.
I noticed that the certificate does not have the complete chain, whereas certs from my pfsense box ca have a full certificate chain. Is this expected behavior or a bug.
If it's a bug how do I download the complete certficate?