How to import a SSL certificate signed by a CA?

[Kouaki]

Hi there :)

I have a certificate authority and I created a certificate for my freenas server.
When I try to import it, it says the private rsa or dsa key is not valid or not found.

When I try to import a private key & certificate with this format it says "RSA or DSA private key not found":
-----BEGIN PRIVATE KEY-----
[...] base64
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----

When I try to import a private key & certificate by adding "RSA" to the header (same base64 key though...) it says "RSA or DSA private key is not valid":
-----BEGIN RSA PRIVATE KEY-----
[...] base64
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----

I have totally normal x509 certificates (pem) and I just can't understand what to do to add my private and public keys to the freenas server...

Thanks for your help :)

 

[pirateghost]

Where are you trying to import this certificate?

 

[Kouaki]

I'm trying to copy/past my key and certificate to the "SSL Certificate" field in the form under the "SSL" tab : http://doc.freenas.org/index.php/Settings#SSL_Tab

Could this be a bug? There seem to be very few people using "real" SSL certificates with FreeNAS. I don't want this default self-signed cert.

Thanks :)

 

[jgreco]

You must supply a key too. Easiest to generate it elsewhere then just paste it all in.

 

[jgreco]

oops I mean a certificate, of course. You need both a key and a certificate.

 

[Kouaki]

Of course I did ;)
(Sorry, I admit it wasn't obvious in my first post).

 

[jgreco]

Okay, well, it does work, and has since mid-8.0.something days, because I remember being the hard to please user who complained until they fixed the GUI import.

Basically generate a 2048 bit key, then a CSR, then have your CA process the request. Concatenate the key and the cert and paste.

 

[Kouaki]

How can I generate a CSR? Do I have to do it using the console?
And why should I do so? I already have the certificate, I just want to import it. I even added a passphrase to it so FreeNAS wouldn't complain about no RSA...

 

[jgreco]

You cannot just generate a random certificate and hope it will work. SSL does not work that way.

We do everything with scripts for our local root CA. That won't help you, so instead I suggest Google.

If you are using OpenSSL, I suggest you review the commands and helper scripts to generate a key, then to generate a CSR (which involves providing information that includes the Common Name), and then the certificate signing process that takes your request and generates a certificate from it.

 

[jgreco]

Oh, and, no, do it from a different machine to make it easy on yourself.

 

[Kouaki]

For my other linux servers, I just generate a certificate on my CA with the correct common-name and then import the .key and .cert files on the host.
I thought this would be possible with FreeNAS.
I'll generate a CSR with a script, but help is hard to find when it comes to SSL certificates on FreeNAS...
Thanks for your time and for helping me :)

 

[Kouaki]

So now you're telling me I could generate a CSR on another Linux host with OpenSSL using the FreeNAS common-name?
That's already what I did on my CA!

 

[jgreco]

You should be able to generate it all (key, csr, cert) on the CA host, yes. I just can't easily look for the commands right now because I'm on AT&T's fantastic Chicago area LTE service where page loads take minutes.

 

[Kouaki]

My certificate is already fine and I'm sure it's OK because I always do it like that on my other hosts.
What I did is just adding a passphrase : openssl rsa -aes256 -in ca-generated-cert.key -out new-cert.key

 

[Kouaki]

So, as seen in FreeNAS source code, the check done by the web interface is the following:

Code:

def get_key_modulus(self, key_file_path, type='rsa'):
        if not key_file_path:
            return None
 
        proc = subprocess.Popen([
            "/usr/bin/openssl",
            type,
            "-noout",
            "-modulus",
            "-in", key_file_path,
            ],
            stdout=subprocess.PIPE,
            stderr=subprocess.PIPE,
            )

When I run this command on my CA, it returns the modulus!!! The private key is correct!!! What's the problem with this stupid thing?

 

[jgreco]

so what happens when you do it from the freenas cli? you seem to have figured out the next logical debug step without actually having done it...

 

[r0b07]

Sorry to bump this, but did you ever resolve this?

I'm having the samme issue. I have an RSA key (generated using openssl). From that, I generated a CSR and received my signed certificate.

I've used the key/cert combo in many other places (webserver, pfsense, etc) and it works flawlessly. However, when I concatenate them and past them into the web gui, freenas (9.1.1 amd64 in my case) complains that: RSA or DSA private key not found.

Any help would be much appreciated.

 

[daveed]

just started using freenas today and found this thread after having the same issue with a startssl cert giving the error "RSA or DSA private key not found"

would only work after using the decrypted rsa key!

 

[jgreco]

I believe StartSSL requires the use of an intermediate certificate. I don't recall the specifics but Google "startssl intermediate" for more details.

 

[BloodThunder]

Just wondering if this issue has been resolved.

I had the same issue, but discovered that I had failed to turn on HTTPS in the SYSTEM/GENERAL menu. After enabling HTTPS, and copy/pasting the keys to the webserver everything went through.

Is there any downside to using the default webserver's key?