S/MIME Certificates with OPNsense

xatru · October 22, 2018, 06:08:00 PM

Hi everybody,
since around half a year I use OPNsense as firewall and VPN endpoint at home. I'm quite happy, as the installation is easy and everything I need is included – and of course it's free ;) I also use the System:Trust part of OPNsense as CA for all my devices. As I, of course, trust my own CA, everything works fine.

The only issue I currently have is that I would also like to use the certificated for E-Mail encryption and signing. I'm not sure if I do something wrong, but whatever I try I'm not able to use the generated certificated for mail encryption in outlook. I already searched the web and the forum here, but I wasn't able to find any helpful information. Does anyone ever tried to create certificates for S/MIME encryption for outlook with OPNsense and can give support or a short tutorial here?

qinohe · October 22, 2018, 06:31:44 PM

Hi xatru, interesting, I am using self-signed chains for 'everything' as well, but, I did not try to setup a local mail server with a chain from OPNsense, yet.

There is a wiki page on this subject that should get you started: https://wiki.opnsense.org/manual/how-tos/self-signed-chain.html
Please, how did you create the chain, with intermediate?, you should use the CA and install that in your client.

If I have some free time I'll setup a local mail server and add my results to the wiki, have some patience though, could take some time ;)

Greetings, mark

franco · October 23, 2018, 06:07:03 PM

S/MIME encryption and signing have separate certificate extensions. You can't create them with OPNsense.

Cheers,
Franco

qinohe · October 25, 2018, 03:03:38 PM

Yes, I know, but my plan was to export the whole CA to some local machine, create what I need there.
It may not even be possible to do it that way, but that was the plan ;D

Greeting, mark

schnipp · October 27, 2018, 12:20:35 PM

You can export the CA and its private key for externally signing CSRs. But i cannot recommend this approach unless you know what you do. Keep in mind, you then have to manage two databases of serial numbers which you have to combine to one CRL in case of certificate issues.

The better way is to use an own CA or intermediate CA derived from your CA in Opnsense. For email encryption the leave certificate needs the correct attributes (e.g. key usage: signing, non repudiation, key encryption; extended key usage: email security [1.3.6.1.5.5.7.3.4])

qinohe · October 28, 2018, 04:06:21 PM

Hey schnipp, thanks for the answer.
Your first part was in fact what I had in mind, CRL is not important for a local solution, so yeah I would have chosen this quick and dirty method.

The second part never done that, what is it you mean exactly, derive a CA from the OPNsense CA, how should I go about doing this?
Don't worry I'll read about it some more and try figure it out anyway, though, this will be a project for the cold winter days, I'm somehow short on time at the moment.

I do understand in this case the leaf certificate needs the correct attributes to work as S/MIME certificate.

Greetings, mark

schnipp · October 29, 2018, 07:36:06 PM

Quote from: qinohe on October 28, 2018, 04:06:21 PM
Hey schnipp, thanks for the answer.
Your first part was in fact what I had in mind, CRL is not important for a local solution, so yeah I would have chosen this quick and dirty method.

The second part never done that, what is it you mean exactly, derive a CA from the OPNsense CA, how should I go about doing this?
Don't worry I'll read about it some more and try figure it out anyway, though, this will be a project for the cold winter days, I'm somehow short on time at the moment.

I do understand in this case the leaf certificate needs the correct attributes to work as S/MIME certificate.

Greetings, mark

Do you use S/MIME certificates for external email communication? If this is the case, you should have a CRL for a better trust in your CA. A derived CA is also called an intermediate CA which itself signs another intermediate CA or leaf certificate (see here)

qinohe · October 31, 2018, 03:15:55 PM

Ah, that's what you mean, I understand that, and no, I don't run my own email server, have never felt the need to, though, I did set one up once or twice..
Btw. I have written the self-signed certificate wiki page (OPNsense wiki)
The reason I want to setup one now is because the number of servers have grown and they can all send messages about their state, I could also use a 3G/4G cell for that, but this costs nearly nothing. ;D

xatru: I'm not trying to hijack your thread, this is forum policy, thanks

Greetings, mark

S/MIME Certificates with OPNsense

xatru

October 22, 2018, 06:08:00 PM

qinohe

October 22, 2018, 06:31:44 PM #1

franco

October 23, 2018, 06:07:03 PM #2

qinohe

October 25, 2018, 03:03:38 PM #3

schnipp

October 27, 2018, 12:20:35 PM #4

qinohe

October 28, 2018, 04:06:21 PM #5

schnipp

October 29, 2018, 07:36:06 PM #6

qinohe

October 31, 2018, 03:15:55 PM #7