-
Important Announcement for the TrueNAS Community.
The TrueNAS Community has now been moved. This forum has become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
How to import a web UI certificate bundle?
- Thread starter Stilez
- Start date
- Joined
- Apr 24, 2020
- Messages
- 5,399
You'll need to use
openssl to extract the various parts of the bundle in PEM ASCII format suitable for import into the GUI. See https://unix.stackexchange.com/ques...from-pfx-in-pem-format-without-bag-attributes.Import the intermediate CA files and the actual cert, individually then? As I'm less familiar with this, can you run me through which files I should expect to need to import, and the steps to do, so I can check I do all the ones I need? And which one I add to my web browser as a new root cert?
This is what I have, and what I know so far:
- OPNSense (local BSD router very similar to and forked from pfSense) uses Lets Encrypt with automated renewal, to generate a root CA for all devices serving https on my domain + LAN. That's working so far
- I know it's good practice to use this to sign an intermediate CA, then keep the private key offline safe. Use the intermediate CA to generate the actual HTTPS cert. Done those too, and they work.
- But I don't know what happens when I renew the original CA every 60 days as LE requires - how that new cert trickles down to any updated intermediate CA etc every month? (If it doesn't, what's the point of requesting a renewal? But if it does do I need to manually resign/reissue my local intermediate CA + https certs every 60 days, and re-import them from OPNSense to TrueNAS?)
- However it works, I use the intermediate CA to issue a cert for the domain/subdomain/host/IP/whatever for web server use. Again, automated reissue, or can I issue one cert for 10 years?
- And then I have a ton of files, maybe 3 or 4 per CA or cert so 12 in all, and I need to upload some of them to TrueNAS for its web server use (enough to validate the certificate chain), some in cold storage, and some added to my browser. Which goes where I don't really know.
If you can shed light on this, you probably will understand better than I do, where I'm confused and what aspects I need to understand better.Any help in making this clearer - it's not at all clear to me right now - would be very good, thanks!
Last edited:
- Joined
- Apr 24, 2020
- Messages
- 5,399
On my system, I only needed to import the system cert and private key, and didn't need to import the remainder of the CA chain. Using the instructions in the link, you can extract the cert and private key using
Then cut and paste the contents of the cert and private key files into System->Certificates, setting the pull-down to "Import Certificate"
Code:
openssl pkcs12 -in <filename.pfx> -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > <clientcert.key> openssl pkcs12 -in <filename.pfx> -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <clientcert.cer>
Then cut and paste the contents of the cert and private key files into System->Certificates, setting the pull-down to "Import Certificate"
Last edited:
danb35
Hall of Famer
- Joined
- Aug 16, 2011
- Messages
- 15,504
No, no, no. It's much simpler--just paste the "full chain" (intermediate CA cert(s) and leaf cert) in the "Certificate" field, and the private key in its field. Easy peasy. Or better yet, get the certs on the FreeNAS box itself using Let's Encrypt and automate deployment using my script.
rmvanderspek
Dabbler
- Joined
- Apr 12, 2022
- Messages
- 13
When I paste my chain certificate I get:
Private key does not match certificate.
Anyone know what to do. When I paste my certificate (without the chain), it works, but some clients don't accept that.
Private key does not match certificate.
Anyone know what to do. When I paste my certificate (without the chain), it works, but some clients don't accept that.
