Messages

I'm sorry for not repsonding to my own thread in quite a while. Work has been busy and I was on vacation.
I just wanted to thank everyone who contributed to this thread. I can report that my latest test with 24.7.6 shows no more problems with certificate import or export. Even the manual naming of the downloaded certifcates was fixed!
We will now slowly start rolling out 24.7

Thank you for your efforts! I hope this gets fixed soon. As long as this issue persists we won't be using 24.7.
I also noticed that the way to export certificates was "better" before. You need extra clicks now and you have to name the files yourself. It's way more cumbersome in 24.7

Thank you for your input, netnut. You are right, those two certs where indeed created on 24.7.0 the original issue ocurred on a fully patched system with 24.7.1 installed on both firewalls.
I have updated my test system, deleted both certificate and CA and created new ones. But after import on the second firewall the certificate is still listed as self-signed and trying to use it in an openVPN instance leads to the aforementioned error "Unable to locate a CA for this certificate". The exact same thing happens, when I import the certificates you provided.

As for your other points: I'm thankful for your input and will bring this up internally. Sadly I don't have as much time for research and development as I once did so I appreciate you taking your time to educate me.

For Reference the newly created certificate (still RSA  ;)):

CA:

Code Select Expand

-----BEGIN CERTIFICATE-----
MIIGHzCCBAegAwIBAgIBADANBgkqhkiG9w0BAQ0FADCBgjELMAkGA1UEBhMCREUx
DDAKBgNVBAgMA05SVzEPMA0GA1UEBwwGSHVlbnhlMRIwEAYDVQQKDAlJVCBBZHZp
c2UxCzAJBgNVBAsMAklUMR4wHAYJKoZIhvcNAQkBFg9pbmZvQHRlc3QubG9jYWwx
EzARBgNVBAMMCnNpdGUtYS1jYTIwHhcNMjQwODIwMTQyMDA5WhcNMzQwODE5MTQy
MDA5WjCBgjELMAkGA1UEBhMCREUxDDAKBgNVBAgMA05SVzEPMA0GA1UEBwwGSHVl
bnhlMRIwEAYDVQQKDAlJVCBBZHZpc2UxCzAJBgNVBAsMAklUMR4wHAYJKoZIhvcN
AQkBFg9pbmZvQHRlc3QubG9jYWwxEzARBgNVBAMMCnNpdGUtYS1jYTIwggIiMA0G
CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDNK/zuMt+3HwawzC5XdJuudJCOdWb3
lO90JCak4EQVVIWBnyssrVQaebKtYuMQBEPrKQTVInsM6hNOYQSGq0txFHzNxNS7
vvs+Kkn65pmrswUvG0esFfiV/Bm35+IMlxM80jgXBgBLqlAKTTUNh5ISZ52hZMhi
efs8iajg1ZCsx1z94h6lMvRwVtWYdxWYZ0oEclKqraxhzNW+llRE0VmLUmCBCyIz
xx7kTwXpLQ7F79UiCHHVuAj4XmMkpjn56LJTqwzoIgzAmsEF5JV7PETVkWS7UXRo
DxdPd+2VoKY6uucCz7BgDid0GHB6BFkYoU/JMYnQhyxZD6BslzEWZkL2wb7oO9kg
64Re1slhlctztX9lrsgQawS2IyDSwOCfgMHRYrXXFVK5397sATi/EZddDwFcEHbQ
zuL5htLTEk6RHHC3QiUt8bJp7SDsrfD4cLv/u4JwQg7+AuoKgPxU66O+U8fKiixM
k2umlkBbW0XYIxVlXoY/v5YYSrtRzv/fPsvgHmH8wdb78bA6FMT7LobGecZ9iewK
do+jqZV65BnihdJV4Qj/0ZxpJMNYcc+pTNL6ZjXkm9M2qVdJrygDZ+Bb/us9eFeu
nLF4iXS2C818TJR5tgTJA+wnyNhIBZJr0bsHB1/Iips7D0w7ZUB5Smn0Izb0aKcZ
x34xs+ZN7VbX5QIDAQABo4GdMIGaMDcGCWCGSAGG+EIBDQQqFihPUE5zZW5zZSBH
ZW5lcmF0ZWQgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBQkjlAIU5Jr
C2a3nPLhPMClkHIkBDAfBgNVHSMEGDAWgBQkjlAIU5JrC2a3nPLhPMClkHIkBDAP
BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQ0FAAOC
AgEAhJG+4V8z2yG4RNSIJt2WDi+gsZcJPBNJXaQjit0d0Siebo3jNRhbuEFsxWBs
IsrCMatWYcuA0734q9dWVC1sdCn0O3Z2wg1DNVUDpNShXMBx5EZ8o/lqMo8BWWRb
QUQmMviXWRExmzmypMO5QbOsmmDqdQsi/IP+am5FYqzHHSWGxMYeaLwmOaoJxNQo
iZfhXRQSYAyeQ5hZOMXqZ8VlBdcE34HMGyXX6QEdt/dq+ABQ6/nREUFxVXCBde1x
yXS1DAgyod+54n/+v/GluRARl8J9NWortkK3Hf3jhTCO6GLGUlbCo822kKD1wI7g
4iE7GL8lfAVp5KFXDqlXRfQHAqKN6gdIT+3Q2kZp7tpP9Bv47YOaCv10cHQqYCuB
DQppEPJvHXnvR3JJ8J2MS+KHUyZrVP6Pcm0TIeZsx7TP9j7RTHBqHjdhcj3ILRqn
dHnmYusZ9/+Ip1LTRN6MoBWcSgFpSSXMVjqiBsAdH77E1rBzQ2sYSJ/JC4P3rlWU
EpAijJVxxeruLV7Ke1tagRB/UtZXcVJDpDjDp29FnrjiBB1ysbxIXr9vVpu/265w
0yvg9+iKr0D65OR+Dnsti/TitOBK+42i+RJEHYtLP7FX/5l8ClN9IxycKxOclWoZ
GIss9wP0PqqV+tNn1W5wlUFCuSWvFfJWAbSBa7PgHPZIhXc=
-----END CERTIFICATE-----


Certificate

Code Select Expand

-----BEGIN CERTIFICATE-----
MIIGwzCCBKugAwIBAgIBATANBgkqhkiG9w0BAQ0FADCBgjELMAkGA1UEBhMCREUx
DDAKBgNVBAgMA05SVzEPMA0GA1UEBwwGSHVlbnhlMRIwEAYDVQQKDAlJVCBBZHZp
c2UxCzAJBgNVBAsMAklUMR4wHAYJKoZIhvcNAQkBFg9pbmZvQHRlc3QubG9jYWwx
EzARBgNVBAMMCnNpdGUtYS1jYTIwHhcNMjQwODIwMTQyMDU0WhcNMzQwODE4MTQy
MDU0WjCBijELMAkGA1UEBhMCREUxDDAKBgNVBAgMA05SVzEPMA0GA1UEBwwGSHVl
bnhlMRIwEAYDVQQKDAlJVCBBZHZpc2UxCzAJBgNVBAsMAklUMR4wHAYJKoZIhvcN
AQkBFg9pbmZvQHRlc3QubG9jYWwxGzAZBgNVBAMMEnNpdGUtYi1jbGllbnQtdGVz
dDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOeyj5z5gBHntJmi4Ft+
SN92CJ/pU+CBYrln3/yDHAQ7Glc9H66borPD33a/BHDYcCAqvCDyRa9NEeH+3avH
0gT36sLjTK5Dcx2guH4b1zoHqQqOze1Nb0UWIfyuSrePVj8OoLiV9FZKVPuhvnYj
ioH2ibbuW1XAlDytYf5ivX+dNxRf1vCGuHRl7QeEG5D6iqYOahNLOKVKTwEtFiZD
ZVxKVGvOXNM6mO6i6+GsEkevO7MczccQTHya889yEAhUXvHaREfuHBB6DCnGqonB
8IUbB2pBZP2IEg1gKzIGN3aWHRmM1RL3MuuAbeEEyVqht+VTRBUegSHbKBJzfnQu
5pkqyOVw5AyQeBuWaCnMLcToG+gvisCrjczB3hFHyo/EANzZ8bOZqaoJUU29JhEO
orpwOOTjZ1tfmhny/IWSg8eIANfN/ZYppF6TVjK7qIWbnzGJLevPhjT2YcxLaMFR
kDcM29CzZBYWdBrrQ7D36DkXmZSpsQ+DnfoOsfiLbrTELora1R+9JN5jThX/Zgmm
y+Tk7aa4ZtWNT5T72sPqWnugERZPGDGRpMIppkux59Tr3DMiisk77oSjTjx39ttw
aTeqQ/NGEbXpe2WsPqvryitMoAeUIp/rI4DVxnseZ+GX4zw1l5NzZHxMyqrJd6gA
JgRyLgCrdpvdvDXmnytmzvT3AgMBAAGjggE4MIIBNDAJBgNVHRMEAjAAMAsGA1Ud
DwQEAwIF4DA0BglghkgBhvhCAQ0EJxYlT1BOc2Vuc2UgR2VuZXJhdGVkIENsaWVu
dCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUSrYGFXaS0MmewEbLx9RZ6dDnBbUwga8G
A1UdIwSBpzCBpIAUJI5QCFOSawtmt5zy4TzApZByJAShgYikgYUwgYIxCzAJBgNV
BAYTAkRFMQwwCgYDVQQIDANOUlcxDzANBgNVBAcMBkh1ZW54ZTESMBAGA1UECgwJ
SVQgQWR2aXNlMQswCQYDVQQLDAJJVDEeMBwGCSqGSIb3DQEJARYPaW5mb0B0ZXN0
LmxvY2FsMRMwEQYDVQQDDApzaXRlLWEtY2EyggEAMBMGA1UdJQQMMAoGCCsGAQUF
BwMCMA0GCSqGSIb3DQEBDQUAA4ICAQBn7zIsnTEbvkNVT5pW+ssM5401ebzo764c
q/w3W8b/qoKnm0RObMdfDZS8aoL+vApbGgva5074ACwZZTaz0eG9r6Y3nEGrMpDc
qpqOEpB3HU985MntaoVMeHWM/2NI+NHFCI2XPS1h6cHlNXb682SyI/zHwKVnRtrU
8mcAJO79O01Yn/nj9q/PMo381raEdYKnEtdplwTo3ue+lt2Xn1tOps1QnwuuTB/c
q4v3AbWTIifdzwLVaTyb2nnTdB6wOAqAjKy/axP9AbEf1gePCuXWTZLRE5WgeKuT
0Xaohl98HgMGmvSNs/F0VmOeyCnw+97rgRwPqxDs1U6Xe/27K0ZByqmvueBsRJsA
xSCpsk5/c5syeeDU01Brcj788tD6jajsXkOXQHv8hn8wJ6j2/R4QP8hV8wL905mp
0gFMCQHHwd/8lpTC5dKofM4bAj9nU0DZkq8ydl5twaRjlHccHEtG1Ak6ctqetSOZ
mN2ZSlL8L5w45yZFnvsc9JQGhfM4hjx6tEpEoTHyMaBHF+D9wJKb2Z7Iv+AQJL96
yrTjnldStt/yE9FBwINnsc8qsR6HfXam3OOsfBvKeZMT8M9h7NNxOyYcTzY6CLL3
QQpfkQxjaVHpUU8EcLFJ3qdszCyr9iy8uZmfuIUiosXwju3dOVcyP8NI4mJIb32G
E7OFhxr7cw==
-----END CERTIFICATE-----


Hi netnut,
thank you for your reply and excuse my late response. Sadly we noticed this bug with two firewalls that needed to be deployed, so we had to roll back to 24.1.
I have just installed two new 24.7 opnsenses and could recreate the issue. Here's the certificate data:

CA Cert:

Code Select Expand


-----BEGIN CERTIFICATE-----
MIIGKTCCBBGgAwIBAgIBADANBgkqhkiG9w0BAQ0FADCBhzELMAkGA1UEBhMCREUx
DDAKBgNVBAgMA05SVzEPMA0GA1UEBwwGSHVlbnNlMRIwEAYDVQQKDAlJVCBBZHZp
c2UxCzAJBgNVBAsMAklUMSAwHgYJKoZIhvcNAQkBFhFwb3N0QGl0LWFkdmlzZS5k
ZTEWMBQGA1UEAwwNc2l0ZS1hLWNhLTI0NzAeFw0yNDA4MTkxMzA1MjdaFw0zNDA4
MTgxMzA1MjdaMIGHMQswCQYDVQQGEwJERTEMMAoGA1UECAwDTlJXMQ8wDQYDVQQH
DAZIdWVuc2UxEjAQBgNVBAoMCUlUIEFkdmlzZTELMAkGA1UECwwCSVQxIDAeBgkq
hkiG9w0BCQEWEXBvc3RAaXQtYWR2aXNlLmRlMRYwFAYDVQQDDA1zaXRlLWEtY2Et
MjQ3MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvN0Mu9WJF+1pFh01
AQmZ/JnmwULdoUrMs65MNcTDZXNInj7wCZknjxklny6+yGtCw9YHo4qYYXuX0470
4zEntRU/e+sudiZrDCoFdbfN2wJemx3T3h+R5r4lGZY3hFWmyNjUwYa9Q45+Woox
rs7Jq0DI4Zzkv3l3GLxnodlBHObGwC0UfhkErmg6qlAoh9CMEYcezmTh1F7SZb5W
h7Sb1pr+2T2afHj4MHOrjWZ+vRAUZJNGX+8UpHPYse2zicU98krm3Lu2nsSmrNFX
yHD45FJkJPVtaMUcIgfh4aDwEqlQwYJfbnCnrbr/CHAKEWTPDVJccCxau+Nox9op
TMCgPKRNlg3BNdZ8kVUWlri5t1TNaHq8L5geKdQGh7e5P0h8tpPi+YNyeFGzEMDF
Z6r+0U63V+CAR9dFLgNZnXij2TbO1p3HTwAeIEJS9XEV1CaXC2nBkVcG9wMyrjzf
anQILOyuPdbUaxtk7S6ZOyiLVY1U0jAsN2awBHn2CPYsTUfLfhYCnqxE4UmjVGen
KEr9v+U2mNQw9jdMosCBRiwAlnZRg5PGagUVdk6lBAI9otoaTUQRaWARFTLzpxD1
92RP//VrkBVtVHLSnc2vuRgM7rHJGQVYL6Jrr2/jwpVA4L2tvTQiyTdZu9mzjUB4
2Gigv2hroMAwTGkiBNdH9CwZeAECAwEAAaOBnTCBmjA3BglghkgBhvhCAQ0EKhYo
T1BOc2Vuc2UgR2VuZXJhdGVkIENlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4E
FgQUzoxz6LJoN1OTOCYZGPylH+AXZaUwHwYDVR0jBBgwFoAUzoxz6LJoN1OTOCYZ
GPylH+AXZaUwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZI
hvcNAQENBQADggIBAC3/4HzV6zOFBy+4vlD4fVEtc3da35VCLKWPcni+kuFYiDXF
bo923fidKjv278sd6iWZminCQxIATZZaLP4drhkCoigv3OySiMljetS3LfaFQ/1Q
ahOwfgZBrmqEL++xV9ShjQkzWwRVHWWKU6v5FoX51Yrv0fKFa+S1FW2G7BShaxYA
oKzSEgGW7liayHYsgGa4oX8cIwD/jkIS1WK8YXnnfaRbQ+5ZqR75TeyEfFUUjCiu
oZ8ha5lVs6SC6F5USO7J3GQoZhTO3MvvHtv5uMSNZ4XzaLAXnHPjOQsNiPNFikzI
7j06725iCYCruZ/Nk25f9HPZTBHIobnbBgECxwsagBylqDCPNGnrOSI6jTJNLk7l
R8kR9sJBTiZ0zCLewOmtq6LlySc14ZC5aY1H5oM17z6dS9m2Z895gpynhl2VPSgE
+vqnX5oVc9y/X5tepgN+GZj/gePsRuQ7ZVT2a4LNRVrczj2ajOkgdLEMmXJkfoGB
7Jr/FOEMOm/KrH8naUKeHdKtitEfa79sgDr909G8xZgSfYZl5ZxXwPNkDtxkzPwW
T2XMfZ1gWB4NW2QCQ8aDkaWBPFl8CFmsOySQb0AuF/0EsCW7AmeXyNhZwkqXyPPK
JbqnF38u9ml/Jq+yy1jYw3uwQVeRs/wHym2zKlzOxBgLfejzhMzT7ByItfvf
-----END CERTIFICATE-----


Test-Cert

Code Select Expand


-----BEGIN CERTIFICATE-----
MIIGyDCCBLCgAwIBAgIBATANBgkqhkiG9w0BAQ0FADCBhzELMAkGA1UEBhMCREUx
DDAKBgNVBAgMA05SVzEPMA0GA1UEBwwGSHVlbnNlMRIwEAYDVQQKDAlJVCBBZHZp
c2UxCzAJBgNVBAsMAklUMSAwHgYJKoZIhvcNAQkBFhFwb3N0QGl0LWFkdmlzZS5k
ZTEWMBQGA1UEAwwNc2l0ZS1hLWNhLTI0NzAeFw0yNDA4MTkxMzA2MzlaFw0zNDA4
MTcxMzA2MzlaMIGFMQswCQYDVQQGEwJERTEMMAoGA1UECAwDTlJXMQ8wDQYDVQQH
DAZIdWVuc2UxEjAQBgNVBAoMCUlUIEFkdmlzZTELMAkGA1UECwwCSVQxIDAeBgkq
hkiG9w0BCQEWEXBvc3RAaXQtYWR2aXNlLmRlMRQwEgYDVQQDDAtzaXRlLWEtdGVz
dDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMKWE8A2g81PXzOx7HJB
XdeMMLUxjaHq5gcfu8l5m4PXm2hVrjZI1YFtyLvBd3KkNCQRwAfaxsFfoN6yfnw1
oia42fC/oftllOILmpZCf4pIyXBWK2DzmaTpXInwXAjDk1LrlCKyIo51RKQdZ1dy
Zvie7I0LYUBRy1xWMRB2gMG+A3zWoZqDV3kN1YVqR0Zh3GF46nMGLrYHHyUutNnj
2s1PG0kk0/G5/XnpkbZT1l03PuWBg4FBezzeolGcefrrU7MS8fK9gkUqfrvuO1g0
dMjSEA6uqMcl8thZIJA4N+ck7f4w5lMke6iOhWApC7geIUYMcf++Uy0lHUxLU07i
BiuDk+oak8q+PfqBhMRXWRRsINP7YXfKc7h/OP0ZIlGoWDSt+5ZniHTJlIIcDjmg
dE+WkUI6wvDUJGcR65QUfE6f/NALA8Z1JheifdhGjmcXWT0mHi5O1qI65r+TdzEV
GI+8unrkbsJqJ5XcycQnIyApWgAk1CrMSCG7pkl/iSyN/ZX80yQYGhpxf9KMDrgU
Z0afLkvkuiVLpmz/FKFnEDjhIaK04JHH2LYp20xuhoTPJ6P3JkHrvd47MyrN1bLe
xZHuxczHs5dionbxvJqGT148mviyv5GtkKRLh2H6d9+EC6VNfTMWAYlBiVCO80pK
R6PfWEvUB4mldkfB+RIFTPIFAgMBAAGjggE9MIIBOTAJBgNVHRMEAjAAMAsGA1Ud
DwQEAwIF4DA0BglghkgBhvhCAQ0EJxYlT1BOc2Vuc2UgR2VuZXJhdGVkIENsaWVu
dCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU3uF3Q4qh9rWaDGxKzuL+PopJFdswgbQG
A1UdIwSBrDCBqYAUzoxz6LJoN1OTOCYZGPylH+AXZaWhgY2kgYowgYcxCzAJBgNV
BAYTAkRFMQwwCgYDVQQIDANOUlcxDzANBgNVBAcMBkh1ZW5zZTESMBAGA1UECgwJ
SVQgQWR2aXNlMQswCQYDVQQLDAJJVDEgMB4GCSqGSIb3DQEJARYRcG9zdEBpdC1h
ZHZpc2UuZGUxFjAUBgNVBAMMDXNpdGUtYS1jYS0yNDeCAQAwEwYDVR0lBAwwCgYI
KwYBBQUHAwIwDQYJKoZIhvcNAQENBQADggIBABySwqUtAYYOpwx7iHkvunSOSr0j
I9sDGBrVPPWn/VRsc0ii9xv1e1IdkzIYoX6T8CknSG/10ZnsetuGKIz8xmbcQCJo
ASscPtDoZlXEwbdBu8s/5+5WEvucV+0wCb3X4MUQ0GQWtp9ER/1XSyJ/94wSGR71
udcJxfaoJR0pyxIZCxz4FBYa8znG9TxBknZdhaeGGoR0YquBFIb9X8N9jG7izuD3
i83pGZ3dDemG0Pbr6gNCwcolj1regcnKTyoHAYmf9IPIjMown3peBvNaHwFbwqUU
i09mSAjrAbf92d/dR6/FUH4EKRZe2wtoHuh2r60+R5SvB7beC0+u+Vedt1p3p746
AyRFlsc/tZSahMptQq/11sqYKOfCK6NgTIlmZ4MTRupjCeHNO8OQV8nd/Hv3gJ8i
GHdmB8FJOaakgnRkxrciHpHGU6ZlzwyOxAAVqeaMM15uKIon1WqPwo/3FBIekTQJ
dpnl5NLdeyMUk+9nyMFjh6z5brHDhENo3RKvuaYLK+F3b0WqB4Yx0hvFUrSLkoZP
lA+chS/NndfNn3Ag6HG5bAPdKZLbPitWWiDOWOuv/THLmAmDL8MCHTJVSMLEFfjw
W3pa/rlfq1rSFJree0P+gztH9WY01dFJ7r1ZHgmCwYxF4tUKxJIiTqmL2oOuaQT7
UeWHcm86y7/lNak0
-----END CERTIFICATE-----


We're having trouble with importing certificates on 24.7.1:
While trying to set up a site to site OpenVPN we created a CA and certificate on firewall A and exported those as usual.
We then imported the CA and then the certificate on firewall B, but the certificate shows up as "self signed" and trying to use it in an OpenVPN instance leads to an error (Unable to locate a CA for this certificate.).

If I reproduce these exact same steps on an older opnsense (I used one on 22.7.11 that I have for reference) the certificate is correctly linked to the CA.

Is this a known issue in 24.7? Do we need to do something differently than before?