Messages

Can i confirm paste IntCa.pem and domain.pem in one file and root CA in the root authority system database all is good, but...
Please document that, i'm try 3 web gui (proxmox, synolgoy, hpe ilo) and all that want the AIO solution

Thank's

i opened with test editor the certificate generated from 23.7 and that go on proxmox without import the intermediate CA and there is only one block
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

but from your anser i must make a crt file with two block, correct?
so in the server certificate i must add the block
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
from the int CA, correct?

why now i must speak of VPN?
the certificate are used tu trust a https connection.

But how i must combine the certificate? so i try immediatly, i don't tell a wrong or good way, but only a way that go and another no go without a correct and new method

ho effetuato il test con la versione 23.7 di opnsense
ho appena verificato con opnsense 23.7 e funziona tutto correttamente:
1 ho creato la mia root CA
2 creato la int CA signed by root CA
3 creato il certitificato server firmato dalla int CA
4 importato nel database certificati root di windows la mia root CA
il certificato risulta valido sia in proxmox web gui che in ILOHpe web gui
se invece con opnsense 24.7 faccio
1 creo la mia root CA
2 creo un nuovo certificato per una CA internal firmato dalla mia root CA
3 importa la int CA tramite Authorities ed incollando i dati del certificato e la chiave generati nello step 2
4 importo la mia root CA nel database delle autoirita radici affidabili in windows
il certificato risulta non valido perchè non viene riconosciuta l'intera catena di ceritficati

ho comunque aperto un tread nel forum principale vediamo come procede

"I just tested with OPNsense 23.7, and everything works perfectly:

1) I created my root CA,
2) created the intermediate CA signed by the root CA,
3) generated the server certificate signed by the intermediate CA,
4) imported my root CA into the Windows trusted root certificate store. The certificate is valid both in the Proxmox web GUI and in the HPE iLO web GUI. However, if I follow a similar process with OPNsense 24.7:

1) I create my root CA,
2) create a new certificate for an internal CA signed by my root CA,
3) import the intermediate CA via Authorities by pasting the certificate and key generated in step 2 (more complicated and long)
4) import my root CA into the Windows trusted root certificate store, the certificate is not valid because the entire certificate chain is not recognized."

The issue isn't with a private Apache or Nginx server, but with portals like HPE iLo, Synology web GUI, and even the Proxmox web GUI, which is easy for me to test. However, they don't present any problems if I use a Let's Encrypt certificate, for example.
In these portals, I don't have much to configure:
i just upload the certificate and the key, and everything usually works, at least with other certificates.
I think I have an old OPNsense ISO and another Sense distro, and as soon as I have time to install them, I'll run some tests. However, it seems that the certificate generated by an intermediate CA set up this way doesn't link the entire chain starting from the root CA.

Good evening,

After updating to version 27.7.6, I am no longer able to generate certificates with what I believe to be the correct Root CA and Intermediate CA chain.

The solution provided in post 5 doesn't work for me, or at least it doesn't behave as it used to.

When I generate a server certificate, to make it valid on my devices, I need to import both the Root CA and the Intermediate CA. However, shouldn't it be enough to just import the Root CA, or am I mistaken?

The issue doesn't occur with the WebGUI. If I use a certificate generated by my CA, importing just the Root CA is enough to establish a valid SSL connection, but this doesn't seem to be the case with other servers.

I suspect that the generated certificate lacks the Root CA data because, when I inspect the hierarchy from a browser, it stops at the Intermediate CA.

If I import the Intermediate CA as a root authority (in Windows' trusted root certification authorities), it works. Otherwise, if I correctly import it among the intermediate certification authorities, I also need to import the Root CA. When both authorities are imported, the hierarchy appears correct in the browser, which I assume is more proper, as both authorities are installed on my PC.

Does this seem correct to you? Am I missing a step?

Buonasera,
dopo l'aggiornamento alla 27.7.6 non riesco più a generare dei certificati con la corretta, credo, catena di Root CA e Intermediate CA.
Ho letto qualcosa nel forum https://forum.opnsense.org/index.php?topic=41840.0 ma la soluzione fornita nel post 5 a me non funziona correttamente o almeno come l'ho utilizzato in precendenza.
Nel momento in cui genero un certificato server, per renderlo valido nei miei dispositivi devo importare sia la root CA che la CA intermedia, ma non dovrebbe essere sufficiente importare la Root CA, o sbaglio?
Il problema non si verifica con la WebGUI che se gli faccio utilizzare un certificato generato dalla mia CA, basta importare la root CA per avere la connessione ssl valida, ma su altri server si.
Credo manchino i dati della RootCA nel certificato generato, perché se osservo la gerarchia da browser, si ferma alla CA intermedia.
Se importo la CA intermedia come CA di root, in autorità di certificazione radice in windows, allora funziona altrimenti se la importo correttamente tra Autorità di certificazione intermedie devo importare anche la root CA. Importando entrambe le autorità allora guardando la gerarchia da browser risulta corretta, ma questo immagino sia più regolare a questo punto avendo entrambe le autorità installate nel mio pc.
Vi sembra corretto questo?
sto sbagliando qualche passaggio?