Trying to setup auth via client certificate but downloaded p12 file is invalid

[soupdiver]

I try to setup web interface auth via client certificates.
I created a CA and a user certificate. But when I download the exported cert and try to add it to the keychain on my mac it errors out. Checking the file using gopenssl also shows an error:

Code: [Select]

openssl pkcs12 -info -in cert.p12
004C26F401000000:error:0680007B:asn1 encoding routines:ASN1_get_object:header too long:crypto/asn1/asn1_lib.c:105:

Any ideas?

[newsense]

Apply the patch or wait for 24.7.1


https://github.com/opnsense/core/issues/7703

Code: [Select]

opnsense-patch b3aa910

[soupdiver]

ah interesting... of course what a timing to try this out. Thanks!

Question in genral: I sit possible to use a cert to login to the webinterface in general? It's hard to find some infos about that topic and chatgpt seems to hallucinate an answer

[franco]

Not sure if lighttpd supports this. Note that these types of features are not certificate-based, they are CA-based so any valid certificate will yield you a login with matching CN from that CA.


Cheers,
Franco

[soupdiver]

I think it does but seems I misundesrtood the intention for the client certificates in the UI then

[doktornotor]

any valid certificate will yield you a login with matching CN from that CA.


Cheers,
Franco

Not necessarily, I think the key is the require part here - https://redmine.lighttpd.net/projects/lighttpd/wiki/Mod_auth

Code: [Select]

auth.require = ( "" =>
                 (
                   "method"  => "extern",
                   "realm"   => "certificate",
                   "require" => "user=agent007|user=agent008"
                 )
               )


[franco]

Ah, thanks. Missed that part. It appears to hook into the system trust store then?


Cheers,
Franco

[franco]

PS: this lighttpd stuff is pluggable: https://github.com/opnsense/core/blob/master/src/etc/lighttpd_webgui/conf.d/README