24.7.1 issue with importing CA and Certificate

[ita.tc]

We're having trouble with importing certificates on 24.7.1:
While trying to set up a site to site OpenVPN we created a CA and certificate on firewall A and exported those as usual.
We then imported the CA and then the certificate on firewall B, but the certificate shows up as "self signed" and trying to use it in an OpenVPN instance leads to an error (Unable to locate a CA for this certificate.).

If I reproduce these exact same steps on an older opnsense (I used one on 22.7.11 that I have for reference) the certificate is correctly linked to the CA.

Is this a known issue in 24.7? Do we need to do something differently than before?

[netnut]

...
Do we need to do something differently than before?

Is it possible to paste your CA and Server certificate here ? (just the certs, _NOT_ the keys). Something like:

Code Select Expand

openssl x509 -in /path/to/cert.pem -noout -text

If you don't want to share the actual certs, you could make an _exact_ dummy with bogus names, just replicate the other settings 100%.

[ita.tc]

Hi netnut,
thank you for your reply and excuse my late response. Sadly we noticed this bug with two firewalls that needed to be deployed, so we had to roll back to 24.1.
I have just installed two new 24.7 opnsenses and could recreate the issue. Here's the certificate data:

CA Cert:

Code Select Expand


-----BEGIN CERTIFICATE-----
MIIGKTCCBBGgAwIBAgIBADANBgkqhkiG9w0BAQ0FADCBhzELMAkGA1UEBhMCREUx
DDAKBgNVBAgMA05SVzEPMA0GA1UEBwwGSHVlbnNlMRIwEAYDVQQKDAlJVCBBZHZp
c2UxCzAJBgNVBAsMAklUMSAwHgYJKoZIhvcNAQkBFhFwb3N0QGl0LWFkdmlzZS5k
ZTEWMBQGA1UEAwwNc2l0ZS1hLWNhLTI0NzAeFw0yNDA4MTkxMzA1MjdaFw0zNDA4
MTgxMzA1MjdaMIGHMQswCQYDVQQGEwJERTEMMAoGA1UECAwDTlJXMQ8wDQYDVQQH
DAZIdWVuc2UxEjAQBgNVBAoMCUlUIEFkdmlzZTELMAkGA1UECwwCSVQxIDAeBgkq
hkiG9w0BCQEWEXBvc3RAaXQtYWR2aXNlLmRlMRYwFAYDVQQDDA1zaXRlLWEtY2Et
MjQ3MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvN0Mu9WJF+1pFh01
AQmZ/JnmwULdoUrMs65MNcTDZXNInj7wCZknjxklny6+yGtCw9YHo4qYYXuX0470
4zEntRU/e+sudiZrDCoFdbfN2wJemx3T3h+R5r4lGZY3hFWmyNjUwYa9Q45+Woox
rs7Jq0DI4Zzkv3l3GLxnodlBHObGwC0UfhkErmg6qlAoh9CMEYcezmTh1F7SZb5W
h7Sb1pr+2T2afHj4MHOrjWZ+vRAUZJNGX+8UpHPYse2zicU98krm3Lu2nsSmrNFX
yHD45FJkJPVtaMUcIgfh4aDwEqlQwYJfbnCnrbr/CHAKEWTPDVJccCxau+Nox9op
TMCgPKRNlg3BNdZ8kVUWlri5t1TNaHq8L5geKdQGh7e5P0h8tpPi+YNyeFGzEMDF
Z6r+0U63V+CAR9dFLgNZnXij2TbO1p3HTwAeIEJS9XEV1CaXC2nBkVcG9wMyrjzf
anQILOyuPdbUaxtk7S6ZOyiLVY1U0jAsN2awBHn2CPYsTUfLfhYCnqxE4UmjVGen
KEr9v+U2mNQw9jdMosCBRiwAlnZRg5PGagUVdk6lBAI9otoaTUQRaWARFTLzpxD1
92RP//VrkBVtVHLSnc2vuRgM7rHJGQVYL6Jrr2/jwpVA4L2tvTQiyTdZu9mzjUB4
2Gigv2hroMAwTGkiBNdH9CwZeAECAwEAAaOBnTCBmjA3BglghkgBhvhCAQ0EKhYo
T1BOc2Vuc2UgR2VuZXJhdGVkIENlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4E
FgQUzoxz6LJoN1OTOCYZGPylH+AXZaUwHwYDVR0jBBgwFoAUzoxz6LJoN1OTOCYZ
GPylH+AXZaUwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZI
hvcNAQENBQADggIBAC3/4HzV6zOFBy+4vlD4fVEtc3da35VCLKWPcni+kuFYiDXF
bo923fidKjv278sd6iWZminCQxIATZZaLP4drhkCoigv3OySiMljetS3LfaFQ/1Q
ahOwfgZBrmqEL++xV9ShjQkzWwRVHWWKU6v5FoX51Yrv0fKFa+S1FW2G7BShaxYA
oKzSEgGW7liayHYsgGa4oX8cIwD/jkIS1WK8YXnnfaRbQ+5ZqR75TeyEfFUUjCiu
oZ8ha5lVs6SC6F5USO7J3GQoZhTO3MvvHtv5uMSNZ4XzaLAXnHPjOQsNiPNFikzI
7j06725iCYCruZ/Nk25f9HPZTBHIobnbBgECxwsagBylqDCPNGnrOSI6jTJNLk7l
R8kR9sJBTiZ0zCLewOmtq6LlySc14ZC5aY1H5oM17z6dS9m2Z895gpynhl2VPSgE
+vqnX5oVc9y/X5tepgN+GZj/gePsRuQ7ZVT2a4LNRVrczj2ajOkgdLEMmXJkfoGB
7Jr/FOEMOm/KrH8naUKeHdKtitEfa79sgDr909G8xZgSfYZl5ZxXwPNkDtxkzPwW
T2XMfZ1gWB4NW2QCQ8aDkaWBPFl8CFmsOySQb0AuF/0EsCW7AmeXyNhZwkqXyPPK
JbqnF38u9ml/Jq+yy1jYw3uwQVeRs/wHym2zKlzOxBgLfejzhMzT7ByItfvf
-----END CERTIFICATE-----


Test-Cert

Code Select Expand


-----BEGIN CERTIFICATE-----
MIIGyDCCBLCgAwIBAgIBATANBgkqhkiG9w0BAQ0FADCBhzELMAkGA1UEBhMCREUx
DDAKBgNVBAgMA05SVzEPMA0GA1UEBwwGSHVlbnNlMRIwEAYDVQQKDAlJVCBBZHZp
c2UxCzAJBgNVBAsMAklUMSAwHgYJKoZIhvcNAQkBFhFwb3N0QGl0LWFkdmlzZS5k
ZTEWMBQGA1UEAwwNc2l0ZS1hLWNhLTI0NzAeFw0yNDA4MTkxMzA2MzlaFw0zNDA4
MTcxMzA2MzlaMIGFMQswCQYDVQQGEwJERTEMMAoGA1UECAwDTlJXMQ8wDQYDVQQH
DAZIdWVuc2UxEjAQBgNVBAoMCUlUIEFkdmlzZTELMAkGA1UECwwCSVQxIDAeBgkq
hkiG9w0BCQEWEXBvc3RAaXQtYWR2aXNlLmRlMRQwEgYDVQQDDAtzaXRlLWEtdGVz
dDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMKWE8A2g81PXzOx7HJB
XdeMMLUxjaHq5gcfu8l5m4PXm2hVrjZI1YFtyLvBd3KkNCQRwAfaxsFfoN6yfnw1
oia42fC/oftllOILmpZCf4pIyXBWK2DzmaTpXInwXAjDk1LrlCKyIo51RKQdZ1dy
Zvie7I0LYUBRy1xWMRB2gMG+A3zWoZqDV3kN1YVqR0Zh3GF46nMGLrYHHyUutNnj
2s1PG0kk0/G5/XnpkbZT1l03PuWBg4FBezzeolGcefrrU7MS8fK9gkUqfrvuO1g0
dMjSEA6uqMcl8thZIJA4N+ck7f4w5lMke6iOhWApC7geIUYMcf++Uy0lHUxLU07i
BiuDk+oak8q+PfqBhMRXWRRsINP7YXfKc7h/OP0ZIlGoWDSt+5ZniHTJlIIcDjmg
dE+WkUI6wvDUJGcR65QUfE6f/NALA8Z1JheifdhGjmcXWT0mHi5O1qI65r+TdzEV
GI+8unrkbsJqJ5XcycQnIyApWgAk1CrMSCG7pkl/iSyN/ZX80yQYGhpxf9KMDrgU
Z0afLkvkuiVLpmz/FKFnEDjhIaK04JHH2LYp20xuhoTPJ6P3JkHrvd47MyrN1bLe
xZHuxczHs5dionbxvJqGT148mviyv5GtkKRLh2H6d9+EC6VNfTMWAYlBiVCO80pK
R6PfWEvUB4mldkfB+RIFTPIFAgMBAAGjggE9MIIBOTAJBgNVHRMEAjAAMAsGA1Ud
DwQEAwIF4DA0BglghkgBhvhCAQ0EJxYlT1BOc2Vuc2UgR2VuZXJhdGVkIENsaWVu
dCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU3uF3Q4qh9rWaDGxKzuL+PopJFdswgbQG
A1UdIwSBrDCBqYAUzoxz6LJoN1OTOCYZGPylH+AXZaWhgY2kgYowgYcxCzAJBgNV
BAYTAkRFMQwwCgYDVQQIDANOUlcxDzANBgNVBAcMBkh1ZW5zZTESMBAGA1UECgwJ
SVQgQWR2aXNlMQswCQYDVQQLDAJJVDEgMB4GCSqGSIb3DQEJARYRcG9zdEBpdC1h
ZHZpc2UuZGUxFjAUBgNVBAMMDXNpdGUtYS1jYS0yNDeCAQAwEwYDVR0lBAwwCgYI
KwYBBQUHAwIwDQYJKoZIhvcNAQENBQADggIBABySwqUtAYYOpwx7iHkvunSOSr0j
I9sDGBrVPPWn/VRsc0ii9xv1e1IdkzIYoX6T8CknSG/10ZnsetuGKIz8xmbcQCJo
ASscPtDoZlXEwbdBu8s/5+5WEvucV+0wCb3X4MUQ0GQWtp9ER/1XSyJ/94wSGR71
udcJxfaoJR0pyxIZCxz4FBYa8znG9TxBknZdhaeGGoR0YquBFIb9X8N9jG7izuD3
i83pGZ3dDemG0Pbr6gNCwcolj1regcnKTyoHAYmf9IPIjMown3peBvNaHwFbwqUU
i09mSAjrAbf92d/dR6/FUH4EKRZe2wtoHuh2r60+R5SvB7beC0+u+Vedt1p3p746
AyRFlsc/tZSahMptQq/11sqYKOfCK6NgTIlmZ4MTRupjCeHNO8OQV8nd/Hv3gJ8i
GHdmB8FJOaakgnRkxrciHpHGU6ZlzwyOxAAVqeaMM15uKIon1WqPwo/3FBIekTQJ
dpnl5NLdeyMUk+9nyMFjh6z5brHDhENo3RKvuaYLK+F3b0WqB4Yx0hvFUrSLkoZP
lA+chS/NndfNn3Ag6HG5bAPdKZLbPitWWiDOWOuv/THLmAmDL8MCHTJVSMLEFfjw
W3pa/rlfq1rSFJree0P+gztH9WY01dFJ7r1ZHgmCwYxF4tUKxJIiTqmL2oOuaQT7
UeWHcm86y7/lNak0
-----END CERTIFICATE-----


[netnut]

...
I have just installed two new 24.7 opnsenses and could recreate the issue. Here's the certificate data:

Interesting, did you apply the minor patches too (24.7.1 is latest) ? The Trust module in 24.7 got a major rewrite and somewhere in time (don't know exact version) OpenSSL was upgraded from v1.x to v3.x.

I guess you created the original set of certificates (CA + Client) on a previous version, because when I try to reproduce your scenario with 24.7.1 the first thing that's noticeable is that the new OPNsense Trust module automatically creates certificates (client, server and client/server) with the IPsec OID (1.3.6.1.5.5.8.2.2) added to the "Extended Key Usage". These are missing in your example, so I'm wondering how you recreated this issue on 24.7 ?

Another important thing is that your example Client Certificate (Test-Cert) only contains a Common Name (CN) but no Subject Alternative Names (SAN), for a Client Certificate this could be a DNS Domain Name or Email Address, for a Server Certificate a DNS Domain Name. Modern crypto libraries (like OpenSSL v3) won't honor the CN anymore, just the SAN.

Some other things I noticed, but shouldn't be that important or part of your issue:

- Any reason you still using RSA, in most cases EC is more efficient? Secp521r1 for your CA, Secp384r1 for Client/Server.
- You could skip the email address in the subject, isn't used and makes the subject more "readable". At a minimum have a Subject with a Country, Organization and a Common Name.


Not only for importing your Certs in OPNsense, but for the sake of generic certificate hygiene I suggest you create a new certificate hierarchy within OPNsense. For your reference, here are a full CA and Client/Server certificate _with_ RSA keys which are created with (nothing special) and correctly related in OPNsense 24.7.1 :

CA

Code Select Expand


-----BEGIN PRIVATE KEY-----
MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQC4KZ76AUrcCCTl
AbPs/QeOvYQlyHAc5McPgKo0Kzr2vexznVNK9uCf7hzRjjbKqKBM6NlkzmesOc9h
2JdcXhFo66hRgTlHjmcYUWIsQinK2uxOczOENbyC+htEoOFc3L2X5LHafJ8zrRbj
bS9YB4si3vUiC8bgWYI38N0QeZh8uRcKLLIbMqay1E6ZzBoTS5OY1R7/12gxUZw6
ihUTlcLZd4Cj/kuPCu6gZgmJH4Y4IhPm+fIOa2Ky+fPzDMIUm+yTjFGBqitaQKnu
WDMQctpeVITzvPypG540xRp1bzViJFwiGWOYdF5Ebahx2/D3oIe3Nc78cd3py11+
hKuTZb/4s4DXdtCE+HSWRZ8rs7OfRmSRu9HdjXnTifN9SwHmkpUNA6YkSpM59Iy4
xck1HL7o0cE5um+NNU8fNQRFixKFkFJRuD+X7HaZB2A3sb7VvFqXOZnsHUDJJgx5
o2CTMN4+ENjxt+BN5WbTJ3Eglz9iZNd3FfjEBA9BIXA1HjnEGK4MY1Otrr3JqEtl
U6ewnmLzhK8CYCCggaoubFz0zqXVP8odhzDBmiUfpR4VuctdkfCSNfm8G89/AIZU
s5HtJ7fB6tzQ/V82lJcbX0iLqGchYRqQHVNpEsGgn91/3ugfuvf9vp5Tg9sU/Tig
WMHa1gYZQABMDqA6lSMBhNmCVbn/lwIDAQABAoICAAHRJAjNgXYpSGihdVof5vav
ss01iaMV4u4pomcqi0ucXdC2vj2tyCS+tVlDBrUXP3PP5HzTQoBRivfAfBNEz/Wd
c8cWFSnotKCvqCP8GX2MXsJjkTdp8H4OgQMvvBC/QPgn/iZ+GdDpYvMySir4fYlu
rLOmm6PW61PX3756dV5eA3yWh6ppe9aN7iI7Ua/QOtiy8ToggkEnxEolM8wfWein
FZbf44v0D5zr97Ud8uoZroRQR58jb0WggQ3gmcFqY4ABtubgpMpmNb5D76+VoccX
1wSCPVMB+yhKCP+QywAtG8AkYBM5H2uzI6HPOEwVgmt0pAq+kcNtVS0gySUd00lw
LDSpEX/ky32iicnkKVMIJGsaSh4HSYj4SaPnne+IRds1lhNP6KinKiTboWZ0ygNx
v0pd14h4+QR87aNoNt+sonkPRH33D5EQnhg5JVTo4O3sxzzm+UNpHHAthE7PtPAY
VW6UGbjH+j3Z3snWw4SAqHKRgOGut2IJlXjKQJRWL5IdAaBgRCNy196KtBHFFU/+
R4mh6rPd1tC2FSmYjS81cP7OstpI98ATUbxKyz91HhKyct/bp96ZpThUJtT2mP6G
z+SwOABCwA7Tcuu2bbVwy42NEUmx1QR5Rl5qj/2SwPdXOBXjsXKaGjlbzL5Jp2+Y
ErFTSkGMG2XNgRHEe3XZAoIBAQDhJmjwUBcDq25D5vbWwW4J6Qvv3bmRYXdF2+iW
YV/QPKotpedk+Wl0Wj5WysCXtB47ZIDU1MiopYP+hWLLcEe05sqtYaHDXYYaipYU
10ENmgHL0880XNgOpS6qa0f4CrEcRG0wsX9Pm/TwgVzifJDvjbq+ssF2muJIez18
qRpIUZplkGHoxY9Fpolq6VUlUDmSE5yKTnJZGL4BgJ85DvwgiZwGJUR2I210tese
6IwzmDIHozFGWgNm2JbKKia/wMOgi+P3YgFROcn+tRdYkjm3vWxPNUSAF6yOOtOB
xAohFwC/0IpnIXflCelazx2vuBt8UEOIRCUYndiIK0HW+uf5AoIBAQDRZX5hOLqB
L6NX2FJ4FJQ/hpDDpGXxk/wE3OPg1eq4E877SO4PfXtEcHMAFl/I5qJMSSINSmEC
M5U5N5OtJe4TS3iINchEPfiPMIpkaO9/5i8lAO0LmBQSg6q7SjcdNgip5uwe+OZ+
2x1fu75pl67jriNxtk5w4uBdAu2yxHU/xywGwZQym9IxY0Db0GZ/ksJQzm9Ij1ZP
YvPHNvKptNE1Muj2B9eN2RQwOtM9CVa4yJE2eurw6+Nqhu8FXMBsVjevj1+d28K9
9NYLbUq1qz2qTV0l80wiu1MsK61F2rsgQtDUoZ2BHrWDi+FK0ygJD9K7NKvwlCdE
ZJYRDKA746gPAoIBAB6nlyQZE3kZbzLpkHQe8/d/dnObMbfcmFu3nExVR7FXgSgj
7YRu/O+tlc1FX8GH8ZHOlkfkDMoBdx5BVPkz+V9lCPVgVKD/69FTSyndQOs0K8hv
t0d+2J/t15O2dZ8M/Z5GpsM5d4cESe4w/s+LfERRfLqYJgUbA3Iw7Wc6suxjx+zK
IrqJo38tNIqM6F3jNWNxLiAanDELUFtuAr/HDYb0lXy0uESJgE6isjeMHAKuVyl5
C61zdgEbvjQaVxpGiZwjT8+P1XQUtS7rwxj5F8ivjr6eFwyFrKXU1pVVdreYpS54
m099XBCgL9iAWJ9jJsLfPsKf3JkkbKXlldpKYSkCggEBALmEMR7TkrFH0nDOj+oh
WWKaxwD+Uu9gC8UHKsGU5JpnulZ5O6jvpFlzQv/N0tj8NMhfdtLNlfrMVqXVrnmW
BEKF9+i9tYt4WBIMkF/7dE0dU6F2G43NE+N/UbETRJcVu0FD/OhH3nZ/jJu3izCk
GWdQbcieGwr6hosBQDTEx5hUzpXBxZm84dGtvNXC4jyeepf6/S8NBwvYgGB8NyvR
rhRy4WCwe/IJZFCCnYoTDwkxcS4SYrpGUzqbB4L5tOWG0VkyLiV+gR+onkaLcshX
SY/rcN5hmo+e5UZZ/+7GpkkjyT7JXPD7kxdTw6t2Pp8grLP9K2Q+7jcy4p2CUSge
P1MCggEAZkReLqyq8qYh9UT9Z/D9v726Vf1wib9HWKj+ySP9QHi4xDxbCMb/LsB1
yfDuL5XYJVKJVNrXJ+JR4+Ab3MSJesOkE4R0vYpcjwpePyP8llVvDas1UlZ0P70g
ongiJ/IQ21hiBFBjiuTrbtz7enGeXcNZ/3n8FmQshe18cKvA5xVOLz+2MuFlqT0T
ZX/MmnmSj+3SV3KX/iSgVhaiXYKYPPcieHtFL6h8DGx3y9uvHdW3qaStvU3btUFY
ME6t1EOLsuENHHwcQqpbUMSv0SJxNawUrGwEGu/1jPPsF0fdB+JoQvs0k3Khw5Wn
g5wIHmFhEye+z7hW2BRr/2pVe3Sy7g==
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIFlzCCA3+gAwIBAgIBADANBgkqhkiG9w0BAQ0FADA/MQswCQYDVQQGEwJVUzER
MA8GA1UECgwIT1BOc2Vuc2UxHTAbBgNVBAMMFE9QTnNlbnNlIFJTQSBSb290IENB
MB4XDTI0MDgxOTE5MDMzM1oXDTI2MTEyMjE5MDMzM1owPzELMAkGA1UEBhMCVVMx
ETAPBgNVBAoMCE9QTnNlbnNlMR0wGwYDVQQDDBRPUE5zZW5zZSBSU0EgUm9vdCBD
QTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALgpnvoBStwIJOUBs+z9
B469hCXIcBzkxw+AqjQrOva97HOdU0r24J/uHNGONsqooEzo2WTOZ6w5z2HYl1xe
EWjrqFGBOUeOZxhRYixCKcra7E5zM4Q1vIL6G0Sg4VzcvZfksdp8nzOtFuNtL1gH
iyLe9SILxuBZgjfw3RB5mHy5FwosshsyprLUTpnMGhNLk5jVHv/XaDFRnDqKFROV
wtl3gKP+S48K7qBmCYkfhjgiE+b58g5rYrL58/MMwhSb7JOMUYGqK1pAqe5YMxBy
2l5UhPO8/KkbnjTFGnVvNWIkXCIZY5h0XkRtqHHb8Pegh7c1zvxx3enLXX6Eq5Nl
v/izgNd20IT4dJZFnyuzs59GZJG70d2NedOJ831LAeaSlQ0DpiRKkzn0jLjFyTUc
vujRwTm6b401Tx81BEWLEoWQUlG4P5fsdpkHYDexvtW8Wpc5mewdQMkmDHmjYJMw
3j4Q2PG34E3lZtMncSCXP2Jk13cV+MQED0EhcDUeOcQYrgxjU62uvcmoS2VTp7Ce
YvOErwJgIKCBqi5sXPTOpdU/yh2HMMGaJR+lHhW5y12R8JI1+bwbz38AhlSzke0n
t8Hq3ND9XzaUlxtfSIuoZyFhGpAdU2kSwaCf3X/e6B+69/2+nlOD2xT9OKBYwdrW
BhlAAEwOoDqVIwGE2YJVuf+XAgMBAAGjgZ0wgZowNwYJYIZIAYb4QgENBCoWKE9Q
TnNlbnNlIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYE
FPfp0E0kdt0sa4X/XiyPbD73tKA+MB8GA1UdIwQYMBaAFPfp0E0kdt0sa4X/XiyP
bD73tKA+MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3
DQEBDQUAA4ICAQA1QqioNI4yd9HDtaqzbWfUSCxoy8HXQnZ+QOz1DFggInxPkmGx
equwtOrkZn9jUqcB9Y3MynDh5znEaLmRq0LozBp/QkKJZyE9UCaUD62IU6rizY67
YVpIqlKw6dvtPuNkMcUJ2uuq6zOyB/AhbjJaUrbxAGatfsgjnF9gK2UieraeQl/U
odvI0pPfXIp+dUhd9sn2fXZCNEud6WyUCCJpXC8/j5Jl0JDy166415G4tshw82H9
knnMJG6+2qLrBH/DKZ9dVhMWbC1xOLaz3vmyRMh8d4V/rEMqDIfoDQlnNVT8h85O
2+DXFxW+DjPWaf70cJsKnE7SyPMYbx9ZpVjzzUogy97obKU95HbyWktwwbZsm4nV
D5eCAN/ZvDRiQIDktLRa8/vjulk+gES1cph1ocDMVCKzhD6fyNAf03Zi3/oFv4Qc
TlPDOhMKKXr4jyfu3QhhO+uLtcWFb2JPT3zvGEDht2PbsLb267WyQcODH4ml4Qdr
dx+MScNzXL18ZSmykJVW9/wb6PCu4+occdW4J3dhcHfkMrYjdJfZmGsVwc45153D
F1rqsFwoKPvd6XiWTSEBPHbvZpEmZ7zD1IXyq4NagOoeviiXpfb8dKGSoDjqz41T
ZEaK7ddLtw9EkVaiGyMzBH+urb69/skPK6BQzSK1jSvRY/uGy08r1UAY/w==
-----END CERTIFICATE-----



Client/Server

Code Select Expand


-----BEGIN PRIVATE KEY-----
MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQDTCvdvGFV3t46Y
k1jud1bupnVfmnJT9eA3Ow4UDfJHt+SSorY21VXyFcntZSJWs7t2R19Q85mBXeMY
wP0YDfClGSRiFdjYrqwOONlrjo+PjcdktdJ5ebe9kpL56jag25yHspENRqjGU+Qn
MEI+S67nCvc2ateCwCrj0AUqDckCVzm0NlRqQ4Jk9sv3XVOiNQfMmJ0nEyZtNGKL
6ltDjxzCPq2O0IMFIkgXg5g51T7jwATmLpThB7YgaUCTZjKwrywJm1z0P2zVF/+C
Ra8ZDA1DnFAqNMZVaTYaXQo19QqnwxJigIY9TO1lUtLBcznwf9nMUf+gDLbB2HOU
7PVktUm4JvqCpqNjAtGFgQ8Q3FZ1Id4oAhoaeZjR0UBIlcsxJzjb6s3T2uRt2KYc
VpG99KT7vZ0xWkxDV294OHZAh1FIQ//3c9TJO1jw1F/IHKJjSZ3WLXuxlUvZTMwk
/y2195zboL27SmU/qkJckq7vwR+IoB9swffQvt9rBC4AQTjW23/TGZ6nU2n9vbVy
eCNePCDLJh8w5LRd0P6d6bhRKnIkJi1/SgmvJVWl7dvdZP+LqqDoKH27t/0+LAQC
S2J1hdeoGmZ1GO6Uq0w24R9VRuKt1PWhSX3qZOzDbWONG+qPGtUVIuaGOLj2k7SS
a0X+8knQfkfgOew0S3NqFiVFBNCr1wIDAQABAoICAFjFgSUS+Eh+RpX5TOwp+MAz
9qU7QyH8B89ToO1gnGv8d0IS/VB9VkSZU7Hu243a1ly/UuGrRgO7qV3tN8jZfEMG
G17Cz879UlQ9J39tnQeGXLwJGzqLr3UnZXmIQmhRWDtgKlGKSk36VbsCOqsXjL+U
xj32nSZbjO78vl9dIxM/+37JZ6K3OO8dPNiVQiu14Mz32QrprD09TsKJ1s/JMBCo
6rprDOGo9OgnK24QO/7y81ybdXZelwZ1H3ug/muBk6WK24PF9hKAoLJ8e1Wu0xmA
c9v9DPw6YE6gmj3uEAhXLrGOXGkGpcj8GLjUridyr/uY9kytbGaHlL6tGd+9vf7b
otk/8juCpH9w88VAXiyhT5kHPnYYFIfgbDuBh1OuybmEeNHcVArQz9J6poTItOfx
ptmaXYe77AS0hJXwpmStpJE+vLfi7y93gfaRF7+uzA4ILwKoTMjmCTlcWZs8dwNv
21L3t55sEYBRZU+dG2akkwmwDGEL2pAD65aauFZz6etu8Lkg1XMaTrZ3HW/otaiq
8xd61brrhYNHLH6/SqH0FfhcWOgEL8LccpjZhv/gJwfepxMqfkRJqMisaaXTult2
3PuBk/IJ67ghrvlzKh2fpceN3y8iE3W8N4FYQAGr+fIBQX4J2lWJOsebvYE8NOOQ
zKyJun0/FtmSEgXCXXsRAoIBAQDpSuxqx9CcbYwQvcoZ6kmLsth5U/s5L6nrwaoh
shpQQcWr7zUXQ7yAxeIEfnStL/7KfTGjFmvddm03atOxFcwt4Q35FFprNhCthLed
F47ol9Y7lyzv6vbV7UoXSRRNH7jt1efHGijk0vU1xOjiCIHDJuOzw1l5SDAx6af0
JSgwl8u8k/y8xM2jMX4a6m48ntrfcE3azu2pgedHuuVhRjhWzRrqm0+mdUTAawCj
sV9xTgcGOfVRZHwog258kAmVeyhdNZC8McqOxk/OMN1knnAmxKUJFhlKQQBtK7rg
NVZ/tFcvvnLg9da3hhQqInJATIiH0MOKaATuV3qefFvu9WiJAoIBAQDnlaHaZErS
MA/vh+NiOrhIBX44A6arzY1evzm+dy/f/ONamuszHzXQ6OYPY6W0ieeKCpA4aWPT
8UFObRFtj78+7FbHQ2KC/i5Yv3bhh7iBV8AIgTqOQqVjkBVnvXvN7HQMq7dwgrkO
HJyARWyVDH+PQWA//TOGYHM7bjs2h6ZrPCIQNpmZLNOc1YnLVTuucNRT1cPrntN6
3ccEWrHtsRPWXFRqaiAwXIoJOCpqqf5bTcWL9FvcdN4iP8OYHydKNMdrUT4euj+i
BKvz26cV7mO4UbMfuDgPkW+0Sigio/VTX/ulsYpWHXNGcZbi+Rn0UkqhgE1x8mNC
qQ5DF8h+3ZlfAoIBAHljv/Kr+BN9OPV5G9EyRISJUfSHy1/tOjhvNAyGdQSvxKB7
Pp/VYh+LV9jIyANZxvUsAYj/4K6Csb+1OWOamPyCb1fczFOe9Tykozn9iSHj59ho
CDzqgPe9meDV6Ndcm0g+FnVWWlL+phMNW7RJguO9t5vRGRxvgIxoLTlvoCLwyVVd
l5PNv8abuSdeNnAapH7BG/Gv3KBn9KUxTau48xXPcaMDn4VY3aZVxyZl4+i8FhGa
VNi+NZCLGxF7jVEXnWAqwB38to5mCB6c9IYnnum9RracphoqCoPDzmBdwJ2AhCFW
ssX1hX1HKfTmqZZlfGFXMngxOeee4zHWOav0TCkCggEABVCJxllG3kv8EaMstLRk
RkLaAq8SxB6Tf/kjehuCHcHP9eRYQXQV6BVwMio3Q01m4uQbKzA/+j0vIn2eSMVj
vi3uT+Rb/mWW6rJ6J/LVaSJ6ZbeRgHJHGWHVG+xdSvyCLUhDjXFyjcBaVxdAxqri
wobdjppg9FSCUHrXIQk76HoYzgZyv/EnahH8d44dMIOmW8YsGNwsPkWYq6DpNGs7
6U91IHwPAQ0endeMIaaFD9NZFT0mXojQEDkmY/dTD4Dmkq/qnQnpK+6vg4km7Hns
D+7QDYpMvw63YYvSH/ljR+aL/+FzK0bBvnwc2lidH95DmDE5lcPaQ01d5mxFTaQI
QQKCAQAyasOsjsLdRDLo0x+jeUZmkwLaD+ZS56bsc6q8N/06TgyO4cdvqRr0CakL
M7JOz53DqsMbRcYqPXe0ENAnEucQ/sryRp8RaZxpfMhrluswvDn7Hwbh11uYdizT
ohoJ8p45C05tmHA908dPQu0j0Gwoy3NUizy+BSXPJ+cPvOZFzYgqkq8h48v57Myd
xns7P0uYii4SIJ29RS0dNb+9dn+fy/mSgjjIk2hzvH/4lKRzDLgP6wFsVdY1FZTV
KzEVeDsqg7EfbXLjsRo6AbX/pEaUf1lGm6Uyu+QDOJOcn1HmohIKkpS1iu9MZ5Vu
kBYkEpQQqpe9Qzxj3C6iYDOo0spP
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGNTCCBB2gAwIBAgIBBDANBgkqhkiG9w0BAQ0FADA/MQswCQYDVQQGEwJVUzER
MA8GA1UECgwIT1BOc2Vuc2UxHTAbBgNVBAMMFE9QTnNlbnNlIFJTQSBSb290IENB
MB4XDTI0MDgxOTE5MzMwMFoXDTI1MDkyMDE5MzMwMFowQjELMAkGA1UEBhMCVVMx
ETAPBgNVBAoMCE9QTnNlbnNlMSAwHgYDVQQDDBdjbGllbnRzZXJ2ZXIuZG9tYWlu
LnRsZDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANMK928YVXe3jpiT
WO53Vu6mdV+aclP14Dc7DhQN8ke35JKitjbVVfIVye1lIlazu3ZHX1DzmYFd4xjA
/RgN8KUZJGIV2NiurA442WuOj4+Nx2S10nl5t72SkvnqNqDbnIeykQ1GqMZT5Ccw
Qj5LrucK9zZq14LAKuPQBSoNyQJXObQ2VGpDgmT2y/ddU6I1B8yYnScTJm00Yovq
W0OPHMI+rY7QgwUiSBeDmDnVPuPABOYulOEHtiBpQJNmMrCvLAmbXPQ/bNUX/4JF
rxkMDUOcUCo0xlVpNhpdCjX1CqfDEmKAhj1M7WVS0sFzOfB/2cxR/6AMtsHYc5Ts
9WS1Sbgm+oKmo2MC0YWBDxDcVnUh3igCGhp5mNHRQEiVyzEnONvqzdPa5G3YphxW
kb30pPu9nTFaTENXb3g4dkCHUUhD//dz1Mk7WPDUX8gcomNJndYte7GVS9lMzCT/
LbX3nNugvbtKZT+qQlySru/BH4igH2zB99C+32sELgBBONbbf9MZnqdTaf29tXJ4
I148IMsmHzDktF3Q/p3puFEqciQmLX9KCa8lVaXt291k/4uqoOgofbu3/T4sBAJL
YnWF16gaZnUY7pSrTDbhH1VG4q3U9aFJfepk7MNtY40b6o8a1RUi5oY4uPaTtJJr
Rf7ySdB+R+A57DRLc2oWJUUE0KvXAgMBAAGjggE3MIIBMzAJBgNVHRMEAjAAMEQG
CWCGSAGG+EIBDQQ3FjVPUE5zZW5zZSBHZW5lcmF0ZWQgQ29tYmluZWQgQ2xpZW50
L1NlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU+ScmhDbwb1iltBUkBtFcMkZC
PvswZwYDVR0jBGAwXoAU9+nQTSR23Sxrhf9eLI9sPve0oD6hQ6RBMD8xCzAJBgNV
BAYTAlVTMREwDwYDVQQKDAhPUE5zZW5zZTEdMBsGA1UEAwwUT1BOc2Vuc2UgUlNB
IFJvb3QgQ0GCAQAwJwYDVR0lBCAwHgYIKwYBBQUHAwIGCCsGAQUFBwMBBggrBgEF
BQgCAjALBgNVHQ8EBAMCBeAwIgYDVR0RBBswGYIXY2xpZW50c2VydmVyLmRvbWFp
bi50bGQwDQYJKoZIhvcNAQENBQADggIBAKK5rBlzKbvHb4Ty+tS5Vn7LGgwQi7pV
GbmtLEMS8FX+iX/vuGlvX1wUYD9DzZgZNyXNyxMPuOhSHsge4SQExUGifXHamsg2
y9bqzQsq0WcmxGinZrp5p27vQLU84hq7Dbe5QwPxPZcyVvydhLIRfyeGcA96bVSx
9UFo19KG/wMNC25b2i4OCASElUs0qnaNJ1gfilR6QqA63bhPmM7KCc05l88DMTjl
HVqp77NEvdrsYYL558b98ivleeAAEng4aMDcN4PNBLkQ2Ku2V5Zlw/sapP2nDauT
X3Y1GjjZSqPP6hHog0Sc5Ljjt5k5vEk/jMbnHsmSdKaBzYnAcNsropTv3blrrIu3
0XgyK34O/APcAVsf16bAnMxuY9c/e8oxKgElV0pD/SDmKaZHqeY+fAOTgaMGrB7/
Ux+KaaWnHgAWnyMfpIsmd1ijBLmra6dGTiB38GmXEYIG/EJC2YjXrzVKgwyC1Mt9
u31PbLSvVVOuNGEhtUqnVf4dfSSnw9HEi9fO0npjYcJNpK+4l3dBMSwZ8VBVMKfZ
Fd/7zaU+lpqO5H5OopMtCQRkvv4HfYvrpdn/Kf1VbMzsSfYLWyt9JD2Y8ukznYNf
3H5mlajBk0uhTyYwEIU/ftt2SMw4LFuLud1nL9Zh/AEcbrR4SWtxHp6M/WrGOgP8
2Cxem9TaIlYQ
-----END CERTIFICATE-----


[fgerardi]

I probably have the same issue...apparently couldn't import new crl certificate anymore (I opened a separate post for this...). I tried to delete the imported CA and then tried to reimport it without success...I get the following error in the logs:

[OPNsense\Trust\Cert:cert.cb6ce1a9-1a7c-4b36-b203-746c5fb5906a.caref] Please select a valid certificate from the list{66c460d82d748}

My External CA is RSA based size 2048 bits.

Any ideas?

[some-random-user]

Code Select Expand


-----BEGIN PRIVATE KEY-----
MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQC4KZ76AUrcCCTl
[---8<---]
g5wIHmFhEye+z7hW2BRr/2pVe3Sy7g==
-----END PRIVATE KEY-----


Please don't do that. Someone will turn around and copy-paste it and use it. :(

[ita.tc]

Thank you for your input, netnut. You are right, those two certs where indeed created on 24.7.0 the original issue ocurred on a fully patched system with 24.7.1 installed on both firewalls.
I have updated my test system, deleted both certificate and CA and created new ones. But after import on the second firewall the certificate is still listed as self-signed and trying to use it in an openVPN instance leads to the aforementioned error "Unable to locate a CA for this certificate". The exact same thing happens, when I import the certificates you provided.

As for your other points: I'm thankful for your input and will bring this up internally. Sadly I don't have as much time for research and development as I once did so I appreciate you taking your time to educate me.

For Reference the newly created certificate (still RSA  ;)):

CA:

Code Select Expand

-----BEGIN CERTIFICATE-----
MIIGHzCCBAegAwIBAgIBADANBgkqhkiG9w0BAQ0FADCBgjELMAkGA1UEBhMCREUx
DDAKBgNVBAgMA05SVzEPMA0GA1UEBwwGSHVlbnhlMRIwEAYDVQQKDAlJVCBBZHZp
c2UxCzAJBgNVBAsMAklUMR4wHAYJKoZIhvcNAQkBFg9pbmZvQHRlc3QubG9jYWwx
EzARBgNVBAMMCnNpdGUtYS1jYTIwHhcNMjQwODIwMTQyMDA5WhcNMzQwODE5MTQy
MDA5WjCBgjELMAkGA1UEBhMCREUxDDAKBgNVBAgMA05SVzEPMA0GA1UEBwwGSHVl
bnhlMRIwEAYDVQQKDAlJVCBBZHZpc2UxCzAJBgNVBAsMAklUMR4wHAYJKoZIhvcN
AQkBFg9pbmZvQHRlc3QubG9jYWwxEzARBgNVBAMMCnNpdGUtYS1jYTIwggIiMA0G
CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDNK/zuMt+3HwawzC5XdJuudJCOdWb3
lO90JCak4EQVVIWBnyssrVQaebKtYuMQBEPrKQTVInsM6hNOYQSGq0txFHzNxNS7
vvs+Kkn65pmrswUvG0esFfiV/Bm35+IMlxM80jgXBgBLqlAKTTUNh5ISZ52hZMhi
efs8iajg1ZCsx1z94h6lMvRwVtWYdxWYZ0oEclKqraxhzNW+llRE0VmLUmCBCyIz
xx7kTwXpLQ7F79UiCHHVuAj4XmMkpjn56LJTqwzoIgzAmsEF5JV7PETVkWS7UXRo
DxdPd+2VoKY6uucCz7BgDid0GHB6BFkYoU/JMYnQhyxZD6BslzEWZkL2wb7oO9kg
64Re1slhlctztX9lrsgQawS2IyDSwOCfgMHRYrXXFVK5397sATi/EZddDwFcEHbQ
zuL5htLTEk6RHHC3QiUt8bJp7SDsrfD4cLv/u4JwQg7+AuoKgPxU66O+U8fKiixM
k2umlkBbW0XYIxVlXoY/v5YYSrtRzv/fPsvgHmH8wdb78bA6FMT7LobGecZ9iewK
do+jqZV65BnihdJV4Qj/0ZxpJMNYcc+pTNL6ZjXkm9M2qVdJrygDZ+Bb/us9eFeu
nLF4iXS2C818TJR5tgTJA+wnyNhIBZJr0bsHB1/Iips7D0w7ZUB5Smn0Izb0aKcZ
x34xs+ZN7VbX5QIDAQABo4GdMIGaMDcGCWCGSAGG+EIBDQQqFihPUE5zZW5zZSBH
ZW5lcmF0ZWQgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBQkjlAIU5Jr
C2a3nPLhPMClkHIkBDAfBgNVHSMEGDAWgBQkjlAIU5JrC2a3nPLhPMClkHIkBDAP
BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQ0FAAOC
AgEAhJG+4V8z2yG4RNSIJt2WDi+gsZcJPBNJXaQjit0d0Siebo3jNRhbuEFsxWBs
IsrCMatWYcuA0734q9dWVC1sdCn0O3Z2wg1DNVUDpNShXMBx5EZ8o/lqMo8BWWRb
QUQmMviXWRExmzmypMO5QbOsmmDqdQsi/IP+am5FYqzHHSWGxMYeaLwmOaoJxNQo
iZfhXRQSYAyeQ5hZOMXqZ8VlBdcE34HMGyXX6QEdt/dq+ABQ6/nREUFxVXCBde1x
yXS1DAgyod+54n/+v/GluRARl8J9NWortkK3Hf3jhTCO6GLGUlbCo822kKD1wI7g
4iE7GL8lfAVp5KFXDqlXRfQHAqKN6gdIT+3Q2kZp7tpP9Bv47YOaCv10cHQqYCuB
DQppEPJvHXnvR3JJ8J2MS+KHUyZrVP6Pcm0TIeZsx7TP9j7RTHBqHjdhcj3ILRqn
dHnmYusZ9/+Ip1LTRN6MoBWcSgFpSSXMVjqiBsAdH77E1rBzQ2sYSJ/JC4P3rlWU
EpAijJVxxeruLV7Ke1tagRB/UtZXcVJDpDjDp29FnrjiBB1ysbxIXr9vVpu/265w
0yvg9+iKr0D65OR+Dnsti/TitOBK+42i+RJEHYtLP7FX/5l8ClN9IxycKxOclWoZ
GIss9wP0PqqV+tNn1W5wlUFCuSWvFfJWAbSBa7PgHPZIhXc=
-----END CERTIFICATE-----


Certificate

Code Select Expand

-----BEGIN CERTIFICATE-----
MIIGwzCCBKugAwIBAgIBATANBgkqhkiG9w0BAQ0FADCBgjELMAkGA1UEBhMCREUx
DDAKBgNVBAgMA05SVzEPMA0GA1UEBwwGSHVlbnhlMRIwEAYDVQQKDAlJVCBBZHZp
c2UxCzAJBgNVBAsMAklUMR4wHAYJKoZIhvcNAQkBFg9pbmZvQHRlc3QubG9jYWwx
EzARBgNVBAMMCnNpdGUtYS1jYTIwHhcNMjQwODIwMTQyMDU0WhcNMzQwODE4MTQy
MDU0WjCBijELMAkGA1UEBhMCREUxDDAKBgNVBAgMA05SVzEPMA0GA1UEBwwGSHVl
bnhlMRIwEAYDVQQKDAlJVCBBZHZpc2UxCzAJBgNVBAsMAklUMR4wHAYJKoZIhvcN
AQkBFg9pbmZvQHRlc3QubG9jYWwxGzAZBgNVBAMMEnNpdGUtYi1jbGllbnQtdGVz
dDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOeyj5z5gBHntJmi4Ft+
SN92CJ/pU+CBYrln3/yDHAQ7Glc9H66borPD33a/BHDYcCAqvCDyRa9NEeH+3avH
0gT36sLjTK5Dcx2guH4b1zoHqQqOze1Nb0UWIfyuSrePVj8OoLiV9FZKVPuhvnYj
ioH2ibbuW1XAlDytYf5ivX+dNxRf1vCGuHRl7QeEG5D6iqYOahNLOKVKTwEtFiZD
ZVxKVGvOXNM6mO6i6+GsEkevO7MczccQTHya889yEAhUXvHaREfuHBB6DCnGqonB
8IUbB2pBZP2IEg1gKzIGN3aWHRmM1RL3MuuAbeEEyVqht+VTRBUegSHbKBJzfnQu
5pkqyOVw5AyQeBuWaCnMLcToG+gvisCrjczB3hFHyo/EANzZ8bOZqaoJUU29JhEO
orpwOOTjZ1tfmhny/IWSg8eIANfN/ZYppF6TVjK7qIWbnzGJLevPhjT2YcxLaMFR
kDcM29CzZBYWdBrrQ7D36DkXmZSpsQ+DnfoOsfiLbrTELora1R+9JN5jThX/Zgmm
y+Tk7aa4ZtWNT5T72sPqWnugERZPGDGRpMIppkux59Tr3DMiisk77oSjTjx39ttw
aTeqQ/NGEbXpe2WsPqvryitMoAeUIp/rI4DVxnseZ+GX4zw1l5NzZHxMyqrJd6gA
JgRyLgCrdpvdvDXmnytmzvT3AgMBAAGjggE4MIIBNDAJBgNVHRMEAjAAMAsGA1Ud
DwQEAwIF4DA0BglghkgBhvhCAQ0EJxYlT1BOc2Vuc2UgR2VuZXJhdGVkIENsaWVu
dCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUSrYGFXaS0MmewEbLx9RZ6dDnBbUwga8G
A1UdIwSBpzCBpIAUJI5QCFOSawtmt5zy4TzApZByJAShgYikgYUwgYIxCzAJBgNV
BAYTAkRFMQwwCgYDVQQIDANOUlcxDzANBgNVBAcMBkh1ZW54ZTESMBAGA1UECgwJ
SVQgQWR2aXNlMQswCQYDVQQLDAJJVDEeMBwGCSqGSIb3DQEJARYPaW5mb0B0ZXN0
LmxvY2FsMRMwEQYDVQQDDApzaXRlLWEtY2EyggEAMBMGA1UdJQQMMAoGCCsGAQUF
BwMCMA0GCSqGSIb3DQEBDQUAA4ICAQBn7zIsnTEbvkNVT5pW+ssM5401ebzo764c
q/w3W8b/qoKnm0RObMdfDZS8aoL+vApbGgva5074ACwZZTaz0eG9r6Y3nEGrMpDc
qpqOEpB3HU985MntaoVMeHWM/2NI+NHFCI2XPS1h6cHlNXb682SyI/zHwKVnRtrU
8mcAJO79O01Yn/nj9q/PMo381raEdYKnEtdplwTo3ue+lt2Xn1tOps1QnwuuTB/c
q4v3AbWTIifdzwLVaTyb2nnTdB6wOAqAjKy/axP9AbEf1gePCuXWTZLRE5WgeKuT
0Xaohl98HgMGmvSNs/F0VmOeyCnw+97rgRwPqxDs1U6Xe/27K0ZByqmvueBsRJsA
xSCpsk5/c5syeeDU01Brcj788tD6jajsXkOXQHv8hn8wJ6j2/R4QP8hV8wL905mp
0gFMCQHHwd/8lpTC5dKofM4bAj9nU0DZkq8ydl5twaRjlHccHEtG1Ak6ctqetSOZ
mN2ZSlL8L5w45yZFnvsc9JQGhfM4hjx6tEpEoTHyMaBHF+D9wJKb2Z7Iv+AQJL96
yrTjnldStt/yE9FBwINnsc8qsR6HfXam3OOsfBvKeZMT8M9h7NNxOyYcTzY6CLL3
QQpfkQxjaVHpUU8EcLFJ3qdszCyr9iy8uZmfuIUiosXwju3dOVcyP8NI4mJIb32G
E7OFhxr7cw==
-----END CERTIFICATE-----


[netnut]

Please don't do that. Someone will turn around and copy-paste it and use it. :(

You did noticed these are dummies, did you ?

As for your other points: I'm thankful for your input and will bring this up internally. Sadly I don't have as much time for research and development as I once did so I appreciate you taking your time to educate me.

It's an interesting issue @ita.tc, busy with some stuff so will look into it further end of week. I really like what's being done with the new Trust module, the old one did have some other issues which are polished out.
After the 24.7 upgrade I didn't look that long at the Trust module, just checked if all existing certs were still OK, but I'm really interested what's causing this, to be continued...

[ita.tc]

Thank you for your efforts! I hope this gets fixed soon. As long as this issue persists we won't be using 24.7.
I also noticed that the way to export certificates was "better" before. You need extra clicks now and you have to name the files yourself. It's way more cumbersome in 24.7

[fgerardi]

In my honest opinion the certificate management is now a total mess...

[driver99]

I am also having issues importing a third party certificate to OPNSense so that I can use it for the Webgui. My current certificate expired, and I tried to replace it but no joy. I generated a CSR using the Trusts/Certificates + method and then provided the CSR to the third party (Digicert). I then tried to add the code from resultant generated certificate when I tried to 'Sign a CSR'. Applying this to the Webgui crashed the front end and I had to reset it from the shell to get back in. Has anyone else had success in adding a third party certificate and applying it to the webgui?

Versions
OPNsense 24.7.3_1-amd64
FreeBSD 14.1-RELEASE-p3
OpenSSL 3.0.14

[JBBERLIN]

I have just created a CSR, uploaded it to the DigiCert site and the response CRT cannot be saved, the private key is also missing in the Config. If this is the case, 300 EUR are gone.

I have a closing </priv> tag in the config but the starting one is missing <priv>

EDIT: After a few tests I can confirm that OPNsense no longer generates private keys when creating a CSR. This is of course stupid if you have always made it easy for yourself and let the OPNsense generate the private keys.

[driver99]

So it looks like certificates in general is pretty broken now.. not ideal for a security solution! Glad it's not just me, it's had me tearing my hair out trying to get a cert installed. Usually a super simple process, request it and upload it, job done.

Is this being looked at I wonder?

[doktornotor]

I would suggest filling an issue at GitHub.

[newsense]

I would wait for 24.7.4 - which is due in the next ~48 hours - and try again. There's been a bit of work in this space.