Installing a CA Bundle

[Deku]

Are there any instructions for how to install a CA Bundle?  Is this imported under the Certificate Authority or do you import it as a normal certificate?  If certificate, how do I get the key? 

I get from namecheap a domain.ca file and a domain.ca-bundle and also a domain.p7b file.  When I go to import a certificate, it asks for the "Certificate data" and the "Private Key".  I'm just not sure what to do here and I can't find instructions.

[franco]

Add CA bundles to system: trust: authorities.


Cheers,
Franco

[Deku]

This doesn't appear to be sending the bundle with the cert in HAProxy.  If I do a wget, I get Unable to locally verify the issuer's authority.  It works fine in the web browser though.  Other apps are having issues.  How do I turn it "on" for HAProxy.

[franco]

Which wget from where? You need to explain a bit better.

Either HAProxy is giving a partial chain (not fixed by CA bundle) or your wget client is missing the root certificate (may be fixed by CA bundle, but "fetch" is a better tool to use here).


Cheers,
Franco

[Deku2]

Sorry for the delay Franco.. vacay.  From what I get from the certificate provider (NameCheap), I'm suppose to combine the bundle and the cert into a single file, such as described here for Nginx. https://www.namecheap.com/support/knowledgebase/article.aspx/9419/33/installing-an-ssl-certificate-on-nginx/

OpnSense doesn't appear to allow this in Trust / Certificates.  After submitting my CSR and getting the returning files, it will only accept the certificate (not a combination of cert and bundle).  Instead, I've added the bundle to the Trust / Authorities.

So, what am I doing... I have a web server that I'm hosting and using HAProxy to reverse proxy to that.  I've defined the certificate as the TLS cert.  However, this only offers the cert to the client, not the cert chain.  So my partners are having connection issues.

As to your question regarding wget, it was just the first tool I tried for figuring out the problem (as it appears to work fine in my local browser).  I can try to use fetch, but I think I know what the problem is.. just not how to fix it.  It's a public CA, so not even sure why a bundle is needed (but I expect this is my ignorance about what is going on).

[cookiemonster]

I could be very wrong but from the UI, OPN has a section for Authorities and another for Certificates. I would try adding them separately and test.

[Vilhonator]

You can open CAs and certificates on notepad or any text editor

There are 3 ways you can read the file in text editor

• Open your text editor, then go to File ---> Open... ---> go to folder you stored the CA files ---> and on option box next to name choose "all types" and choose the file you want to open.
• Right click the file and select "open with..." and choose the text editor you want to use.
• Right click the file, choose "rename" and type .txt at the end of the name of the file
  

REMEMBER TO DELETE THE FILES FROM YOUR COMPUTER ONCE YOU HAVE ADDED THEM TO YOUR FIREWALL!!!!!

CA and Certificate files are written in raw text and usually there's no need for safe keeping them after you have imported them to where ever needed, so it is better to destroy them, rather than keeping them.

If your CA bundle doesn't contain file with private key, then you can't import the CA using Certificate authority option and you need to import the CA to trusts.

[Deku2]

cookiemonster and Vilhonator, I'm not sure you understand the issue.  I've imported the bundle into Authorities as suggested by franco, but that doesn't seem to translate to HAProxy.  You can't import the certificate with the bundle (by combining the text files) as OpnSense won't accept it in response to the CSR.

[Vilhonator]

Ah now I understand

Go to System ---> Trust ---> Certificates, add new certificate, and in selection box choose "Sign a certificate signing request" and on Certificate authority, select your certificate authority.

If it doesn't show any certificate authorities, then you need to create your own certificate authority and manually add certificate of your Haproxy to each machine in your network that you want to add to it.

https://docs.opnsense.org/manual/how-tos/self-signed-chain.html

[Deku]

But it's not a self signed cert.. It's a public cert issued by NameCheap. I create a CSR, which is sent to Name Cheap, they issue a certificate and include the bundle.  I can only supply the certificate in response to the CSR in OpnSense (I can't combine it with the bundle).  I can import the bundle into the Authorities section, but that doesn't do anything as far as I can tell.

I did try to see if I could do as you suggested, but the bundle didn't come up as a provider.

[Deku]

Solved!  It was primarily my fault.  Steps to Install a Certificate Chain.

1. Create the CSR and send to provider, receive cert package.
2. Combine the certificate and the bundle (cert first, then bundle below) in a text editor (like notepad).
3. Copy the combine chain back into OpnSense in response to the CSR.

Part of my issue is that I followed the instructions by namecheap and did a 'cat bundle >> cert' which didn't create a new line between them, thus causing OpnSense to fail when I tried to use it in response to the CSR.