Core: Feature Request: Internal CA can sign CSRs in UI

Hi @pwhack,

This is a nice feature. I'm tagging it "help wanted" to see if anybody will help to get this in. :)

Cheers,
Franco

This feature would be great as it would complete the whole Trust functionality.

What would be required to implement this? Can opnsense already handle certificates without available private key at all?

Regards

I'm guessing system_certmanager.php just needs a section to wrap around PHP's openssl_csr_sign(). Much of system_certmanager.php is already doing similar wrapping with logic so someone familiar with that file's logic likely knows the right spot to add such a logic branch.

@fichtner, it appears you've made a fair amount of commits to system_certmanager.php. Am I on the right track of what's needed to implement this? Are there any other files that would need to be modified?

Any chance this will happen? i can't code but willing to test.

thank you

I'd also love seeing this feature implemented. How can I help?

@wschlich It's probably not very difficult to add, but I haven't looked at it. It's probably best to start with describing some steps how to do this end to end (openssl commands), so we have an easy test scenario. Then check where this would fit the ui.

If I'm understanding the request correctly, then this would only use a ca to generate a cert, which the user can copy-paste into his application. It wouldn't be necessary to store the result, right?

@wschlich it seems @nhirokinet made an initial proposal https://github.com/opnsense/core/pull/3234 If your would like to do some testing, that would be very nice.

opnsense-patch 07b41fc4

@wschlich It's probably not very difficult to add, but I haven't looked at it. It's probably best to start with describing some steps how to do this end to end (openssl commands), so we have an easy test scenario. Then check where this would fit the ui.

I see. Shouldn't be a big deal.

If I'm understanding the request correctly, then this would only use a ca to generate a cert, which the user can copy-paste into his application. It wouldn't be necessary to store the result, right?

It would be about generating a certificate by signing a request (CSR) uploaded/pasted by the user.

I would vote for storing the result/certificate for reference purposes, because it would also need to be revokable via the CRL etc. -- it would just not have a private key part, compared to other certificates issues by OPNsense.

@wschlich it seems @nhirokinet made an initial proposal #3234 If your would like to do some testing, that would be very nice.

Okay, will do :)

@wschlich it seems @nhirokinet made an initial proposal #3234 If your would like to do some testing, that would be very nice.

Worked well so far -- got a certificate signed successfully :)
Also, the certificate is stored just like others.

Had some comments placed in the pull request (https://github.com/opnsense/core/pull/3234/commits/07b41fc43a275e3aa4d8676fbb9749cedd0cdfa5) -- mainly cosmetic issues.

Ok, so I did find some issues :)
My CSR contained a 'X509v3 Subject Alternative Name' but the certificated generated from signing that CSR doesn't have a SAN. It also drops the 'X509v3 Key Usage' tag.
Clearly not acceptable for production.
I added the corresponding comments to the pull request.

https://github.com/opnsense/core/pull/3234