Download certificate bundle

Started by Tom221, December 09, 2024, 09:52:40 AM

Previous topic - Next topic
Hello,

about a year ago I changed my WLAN to use EAP-TLS authentication with self signed certificates from OPNsense. For this I created a root CA with which I issued a server certificate and for each device a client certificate. Everything worked flawlessly. Recently the certificates expired and because of this I thought I renew the whole process and I created a new root CA, a new server certificate and a new client certificate for an Android device.

But something seems to be different. The last time I was able to download a certificate bundle for the server certificate and the client certificate which included also the CA certificate. In some version (24.1?) the GUI has changed, there's now a dialog to select what should be downloaded. When selecting PKCS#12 it seems to be nearly the same but the CA certificate is missing so the certificate chain is incomplete. When installing the certificate on the Android device it doesn't even connect to the Radius server so it seems the server certificate is not accepted for the connection.

I spent a few hours trying to find out how to accomplish the same certificate bundle (as before) using the OpenSSL CLI but failed doing so. I've got some PKCS#12 certificates but did not get it to work on the Android device. I guess that the root cause is the order of the certificates in the bundle but I don't get it right. Any advice?

This is the command which I used recently:
Quoteopenssl pkcs12 -export -inkey server_prv.pem -in server_crt.pem -certfile root_crt.pem -out servercert.p12

PEM files are just text. To create a full chain certificate, create a new file and paste the certificates in there, including the ------BEGIN... and ------END... lines.

https://knowledge.digicert.com/tutorials/create-pem-file-for-tls-ssl-certificate-installations

https://www.rfc-editor.org/rfc/rfc4346#section-7.4.2 if you have trouble sleeping.

I'd like to use pkcs12 files as they are encrypted with a password. Today I installed version 23.7 in a virtual machine to compare the old certificates (which has included the CA certificate) with those which I created using the openssl CLI. While the ordering of the certificates in the bundle are the same, the old one seem to use legacy providers. Apart from that I can't see any difference.

Is there any reason why the CA certificate is not included in the pkcs12 bundle anymore?