User Certificate – Why is the private key required?

[9axqe]

Ah yes, for sure. But Joe's private key doesn't leave Joe's computer, so Bill can keep dreaming...

ok, so: I feel like there's a GUI bug here. I can see I can upload CA cert _without_ private key to opnsense, I think it should be the same for user's HTTPS client certificate, it should not be limited to CA's certificates.

Where are the certificates stored in opnsense, maybe I can try to add it (without private key) via CLI and see if it works.

[Patrick M. Hausen]

Bill can use his own private key and log in as Joe if you only check validity and not match the CN to a particular user.

[9axqe]

But if Bill uses his own private key, then it's not Joe's certificate, then there's no need to lock Joe's cert to Joe's user, no?

I mean, I don't mind locking certs to users, but I'm just saying it's maybe superfluous from a security point of view since each user can only present his own cert / private key... But it's probably definitely useful for administration, otherwise it can become chaos to manage...

[9axqe]

ok, since I wasn't ok uploading the private key of that specific cert to the opnsense, I looked at it under a different angle. I'm still stuck, but I'm a couple of steps further at leaast.

1. I created a CA on opnsense, issued a certificate (when issuing I can choose NOT to store the private key on opnsense and just download it).
2. I assigned this new certificate to my user under System > Access > User
3. I converted the downloaded private key and certificate from two PEM files into a single pfx file using 'openssl pkcs12 -export -inkey private-key.pem -in certificate.pem -out client-cert.pfx'
4. I imported this cert into firefox

Now I'm trying to understand how I can use it to authenticate against opnsense. There's no specific prompt when loading the opnsense login page, just the usual username/pwd field.

[meyergru]

That is my point: You can't. Because of the purpose of the certificate that can be added to a user account is NOT to authenticate AGAINST, but to authenticate that user WITH.

As I tried to illustrate already, if you want to authenticate a user with a client certificate, you have to have a few separate things to achieve on the server side (i.e. OpnSense):

1. Configure the web server to enable client certificates in the first place in the web server. If this is the case, your browser will most likely prompt you to choose from your client certificates.

2. Configure the web server to verify if the presented client certificate is valid in the sense that it has been issued by a trusted CA. Thus, the web server has to include that CA in its certificate store. If it is a certificate issued by one of the "usual suspects" (i.e. official CAs), then fine.

3. (And this is where the problem lies) You have to check the content of the certificate in your web application, that is, some contained attribute in order to check against your user database. Usually, this is an e-mail adress in the CN of the certificate, NOT the full certificate itself as you imply. If that user is in the database, the usual username/password prompt can then be skipped.

AFAIK, none of these mechanisms have been implemented in OpnSense (yet).

[9axqe]

the purpose of the certificate that can be added to a user account is NOT to authenticate AGAINST, but to authenticate that user WITH.

I think here lies my misunderstanding, I do not understand what you mean here: authenticate against what? With what? Opnsense? What does "authenticate with opnsense" mean here?

Could you maybe make a sample scenario of what such a user cert can be used for?

[Patrick M. Hausen]

OpenVPN if I am not mistaken.

[9axqe]

That does make sense, thanks!

This is documented here:
https://docs.opnsense.org/manual/how-tos/sslvpn_instance_roadwarrior.html

[meyergru]

the purpose of the certificate that can be added to a user account is NOT to authenticate AGAINST, but to authenticate that user WITH.

I think here lies my misunderstanding, I do not understand what you mean here: authenticate against what? With what? Opnsense? What does "authenticate with opnsense" mean here?

Could you maybe make a sample scenario of what such a user cert can be used for?

"Authenticate a user against" the OpnSense GUI via a client certificate (OpnSense server side to accept such certificates is not implemented and also, would not have to know the specific certificate, only its CA and some attribute)

vs.

"authenticate an OpnSense user with" a client certificate to another party, like a public OpenVPN server (OpnSense in client role on behalf of a user by using his credentials / certificate).

It is explained in the manual: https://docs.opnsense.org/manual/certificates.html. Apart from OpenVPN, which uses certificates per default, there are other examples given. However, when you look it up, there are no configuration options in either the web proxy or the captive portal. The authentication methods in the manual for those scenarios do not include certificates.

But I think this beyond the point: We were discussing if (and if so: how) you could authenticate against the OpnSense GUI by using client certificates (which you cannot) and not what other purposes these certificates might be useful for.

[karlson2k]

I think this point is very valid.

The public certificate can be used to check that remote side is exactly the expected peer.

Currently it is possible to create certificate without private key, when certificated is create via GUI: just set "Private key location" to "Download and do not save".
At the same time it is not possible to import existing certificate without private key (the "workaround" is to use space as a private key: certificate will be imported, reported as "with private key", but could be used only as public certificate).