Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Intermediate CA for OpenVPN Clients' Certificates
« previous
next »
Print
Pages: [
1
]
Author
Topic: Intermediate CA for OpenVPN Clients' Certificates (Read 1078 times)
treadnaught
Newbie
Posts: 2
Karma: 0
Intermediate CA for OpenVPN Clients' Certificates
«
on:
June 29, 2023, 04:42:19 am »
Good evening!
Firstly, just wanted to say that I am really appreciative of all the work done by the dev team and community members that brought OPNsense to where it is now. Thank you all for what you do.
Problem set:
I'm trying to set up an intermediate Certificate Authority to issue certificates for OpenVPN clients for remote access that I'm going to be implementing soon, but I've already got an external CA for the beginning of my chain of trust and do not wish to generate a new internal root CA.
The road warrior documentation covers setting up an internal root CA and then generating an intermediate CA based off of that local root CA, but I would like to set up an intermediate CA that is signed by my internal root CA so I won't have to import another root CA certificate to trust.
Searching the forums previously has not yielded anything of this nature that I could find so far.
Whenever I go to System > Trust > Authorities, I have my root CA configured as the top of the chain, but when attempting to create an intermediate CA, it does not give me the option to generate a CSR to take to my root CA for issuing. Is there a way to generate a CSR somewhere in the web UI that I'm not finding? Or is there a list of requirements for the CSR that I can use to generate the request on the OPNsense firewall?
Thank you in advance for your time,
Treadnaught
P.S. Perhaps this could be turned into a feature request sometime down the road for anyone else as crazy as I am.
Logged
franco
Administrator
Hero Member
Posts: 17660
Karma: 1611
Re: Intermediate CA for OpenVPN Clients' Certificates
«
Reply #1 on:
June 29, 2023, 08:28:16 am »
Creating a CSR for a CA is not supported at this point. If you want to request a feature you can do so via
https://github.com/opnsense/core/issues/new?assignees=&labels=&projects=&template=feature_request.md&title=
But you can always create a CSR manually and import the resulting CA.
Cheers,
Franco
Logged
treadnaught
Newbie
Posts: 2
Karma: 0
Re: Intermediate CA for OpenVPN Clients' Certificates
«
Reply #2 on:
June 30, 2023, 01:12:36 pm »
Franco,
Thanks for your quick reply. I will definitely put in a feature request on the github page once I get the Intermediate CA set up on my OPNsense device.
For the Intermediate CA request, are there any specific OIDs that I need to include for the firewall to accept the CA cert for use? Only reason I ask is that the web server certificate required the Netscape SSL Server OID before it would work on the web server.
Thank you in advance for your time,
Treadnaught
Logged
franco
Administrator
Hero Member
Posts: 17660
Karma: 1611
Re: Intermediate CA for OpenVPN Clients' Certificates
«
Reply #3 on:
June 30, 2023, 02:20:36 pm »
It depends on where you want to sign the CA. Some CA's tend to force their "best practice" OIDs to the point where the requested settings are discarded. If you have your own CA somewhere it's a bit more tricky as you would need to be careful which values are set.
In both cases you want a "modern" set of OIDs for a (web) server certificate and that's it.
Not a specific answer as that is a bit in flux over time and I don't know this stuff by heart.
Cheers,
Franco
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Intermediate CA for OpenVPN Clients' Certificates