S/MIME Certificates with OPNsense

[xatru]

Hi everybody,
since around half a year I use OPNsense as firewall and VPN endpoint at home. I’m quite happy, as the installation is easy and everything I need is included – and of course it’s free I also use the System:Trust part of OPNsense as CA for all my devices. As I, of course, trust my own CA, everything works fine.

The only issue I currently have is that I would also like to use the certificated for E-Mail encryption and signing. I’m not sure if I do something wrong, but whatever I try I’m not able to use the generated certificated for mail encryption in outlook. I already searched the web and the forum here, but I wasn’t able to find any helpful information. Does anyone ever tried to create certificates for S/MIME encryption for outlook with OPNsense and can give support or a short tutorial here?

[qinohe]

Hi xatru, interesting, I am using self-signed chains for 'everything' as well, but, I did not try to setup a local mail server with a chain from OPNsense, yet.

There is a wiki page on this subject that should get you started: https://wiki.opnsense.org/manual/how-tos/self-signed-chain.html
Please, how did you create the chain, with intermediate?, you should use the CA and install that in your client.

If I have some free time I'll setup a local mail server and add my results to the wiki, have some patience though, could take some time 

Greetings, mark

[franco]

S/MIME encryption and signing have separate certificate extensions. You can't create them with OPNsense.


Cheers,
Franco

[qinohe]

Yes, I know, but my plan was to export the whole CA to some local machine, create what I need there.
It may not even be possible to do it that way, but that was the plan 

Greeting, mark

[schnipp]

You can export the CA and its private key for externally signing CSRs. But i cannot recommend this approach unless you know what you do. Keep in mind, you then have to manage two databases of serial numbers which you have to combine to one CRL in case of certificate issues.

The better way is to use an own CA or intermediate CA derived from your CA in Opnsense. For email encryption the leave certificate needs the correct attributes (e.g. key usage: signing, non repudiation, key encryption; extended key usage: email security [1.3.6.1.5.5.7.3.4])

[qinohe]

Hey schnipp, thanks for the answer.
Your first part was in fact what I had in mind, CRL is not important for a local solution, so yeah I would have chosen this quick and dirty method.

The second part never done that, what is it you mean exactly, derive a CA from the OPNsense CA, how should I go about doing this?
Don't worry I'll read about it some more and try figure it out anyway, though, this will be a project for the cold winter days, I'm somehow short on time at the moment.

I do understand in this case the leaf certificate needs the correct attributes to work as S/MIME certificate.

Greetings, mark

[schnipp]

Hey schnipp, thanks for the answer.
Your first part was in fact what I had in mind, CRL is not important for a local solution, so yeah I would have chosen this quick and dirty method.

The second part never done that, what is it you mean exactly, derive a CA from the OPNsense CA, how should I go about doing this?
Don't worry I'll read about it some more and try figure it out anyway, though, this will be a project for the cold winter days, I'm somehow short on time at the moment.

I do understand in this case the leaf certificate needs the correct attributes to work as S/MIME certificate.

Greetings, mark

Do you use S/MIME certificates for external email communication? If this is the case, you should have a CRL for a better trust in your CA. A derived CA is also called an intermediate CA which itself signs another intermediate CA or leaf certificate (see here)

[qinohe]

Ah, that's what you mean, I understand that, and no, I don't run my own email server, have never felt the need to, though, I did set one up once or twice..
Btw. I have written the self-signed certificate wiki page (OPNsense wiki)
The reason I want to setup one now is because the number of servers have grown and they can all send messages about their state, I could also use a 3G/4G cell for that, but this costs nearly nothing.

xatru: I'm not trying to hijack your thread, this is forum policy, thanks

Greetings, mark