User Certificate – Why is the private key required?

[9axqe]

I am trying to set up client certificate for automatic login into the opnsense GUI, one less daily hassle =)

The GUI mask is asking for the private key of this client certificate, which I am not willing to upload to sense and also should not be required, opnsense only need the public key.

Am I missing something?

[CJ]

Can you elaborate on what you're trying to accomplish?  Automatic login to the UI how?  Where are you adding a cert?

[9axqe]

I am attempting to authenticate to the opnsense GUI using a certificate instead of a password. I hope it will require less keystrokes from my side (I understand it depends on browser implementation).

Here you can find some details on how client certificate authentication works:
https://medium.com/@sevcsik/authentication-using-https-client-certificates-3c9d270e8326

Under System >Access > Users, for each user there's a field called "User Certificates". I assumed this is intended for client certificate based authentication against the opnsense GUI. Did I misunderstand what this field is for?

[CJ]

Any reason to not just use a password manager?

What happens if you leave the private key blank?  You'll note that the import screen isn't specific to just user certs.

[9axqe]

If I leave the private key empty, I get an error telling me "The following input errors were detected: The field Key data is required."

I am hoping this is even faster than password manager.

[cookiemonster]

I am attempting to authenticate to the opnsense GUI using a certificate instead of a password. I hope it will require less keystrokes from my side (I understand it depends on browser implementation).

Here you can find some details on how client certificate authentication works:
https://medium.com/@sevcsik/authentication-using-https-client-certificates-3c9d270e8326

Under System >Access > Users, for each user there's a field called "User Certificates". I assumed this is intended for client certificate based authentication against the opnsense GUI. Did I misunderstand what this field is for?

Dunno what the intention for this is and can't check docs right now but as long as it has the X509v3 Extended Key Usage attribute: "TLS Web Client Authentication" then it can be used for that. To check you can issue:

Code: [Select]

# openssl x509 -text -in /path/to/certificate.crt -noout

I am trying to set up client certificate for automatic login into the opnsense GUI, one less daily hassle =)

The GUI mask is asking for the private key of this client certificate, which I am not willing to upload to sense and also should not be required, opnsense only need the public key.

Am I missing something?

Maybe some step of that post. A quick scan and makes sense like "Trying to get in
To use these certificates in our browser, we need to bundle them in PKCS#12 format. That will contain both the private key and the certificate, thus the browser can use it for encryption." The private key needs to be in play somehow.

[9axqe]

The opnsense GUI only allows two text fields (no uploading of file), and the certificate must be in pem format, this is visible in the GUI.

The PKCS format is for the browser on my laptop, that is not a problem, my issue is with uploading the certificate to opnsense.

I have the certificate in question in pem format, I pasted it in the "user certificate" field, but there is no private key because the private key is meant to stay on my computer, not to be upload on the opnsense router, this is how asymmetric cryptography works: the private key stays on the machine which is authenticating itself, the public key is present on both sides.

Have a look at the attached screenshot of the opnsense GUI, maybe it will be clearer.

[cookiemonster]

If this UI section requires the private key of the cert to be entered, then it is a client cert that is for. That is, for the system to use to identify itself to other systems. But you surely know this as you're telling how asymmetric cryptography works so it must be a trick question

[9axqe]

I get to the screenshot attached above when I click on the little + next to "user certificate", under System > Access > User. See the screenshot.

Hence I assumed this is intended for uploading a user certificate, a certificate that allows the user to authenticate itself against opnsense. Not the other way around. Maybe I misunderstood this though, are you saying this "user certificate" is intended for opnsense to authenticate against my laptop? Isn't that what the opnsense GUI certificate is for?

[meyergru]

When client certificates are used to authenticate, the server side usually does not have the client certificate, but only the CA certificate that is being used to sign the accepted client certificates.

Thus, it is very unlikely that a "client certificate" which can be uploaded can be used to authenticate "against" (i.e. server side) - only to authenticate "with" (i.e. client side). For the latter purposes, the key is obviously needed,

AFAIK, there is no means to authenticate a user by client certificates in OpnSense.

[Patrick M. Hausen]

You still might want to lock a single cert to a particular user. And we hopefully all agree that the server side requesting authentication never needs the private key 

[meyergru]

You still might want to lock a single cert to a particular user. And we hopefully all agree that the server side requesting authentication never needs the private key 

Correct, but in practice, this is usually done by using some attributes of the certificate (e.g. CN) in order to be able to renew the certificate later on.

And yes, neither does a server require the client nor the CA certificate key. That is exactly why this specific client certificate is highly unlikely to represent something that serves as means for server authentication of clients.

[cookiemonster]

You still might want to lock a single cert to a particular user. And we hopefully all agree that the server side requesting authentication never needs the private key 

Most definitively.

[9axqe]

You still might want to lock a single cert to a particular user.

I'm not sure I'm following, what do I want to lock a whole certificate (incl. private key) to a single user for? What is the use case behind it?

[Patrick M. Hausen]

If you use certificates for client authentication you might want to make sure Joe can only use Joe's certificate and Bill only Bill's.