Import GlobalSign Root CA Certificate

Status
Not open for further replies.
T

thellff

Cadet
Joined
Aug 19, 2016
Messages
6
Hi all,

I try to import GlobalSign Root CA certificate in my Freenas (9.10-stable).

As indicated here https://support.globalsign.com/customer/portal/articles/1426602-globalsign-root-certificates (GlobalSign Root R1 certificate),

- certificate is :

-----BEGIN CERTIFICATE-----MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jvb3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAwMDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxTaWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZjc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavpxy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdGsnUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJU26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N89iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0BAQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOzyj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymPAbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUadDKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbMEHMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==-----END CERTIFICATE-----

- serial is : 040000000001154b5ac394

On Freenas, in System, CAs, then Import CA, I give :
- name : GlobalSignRootCA
- certificate : as above
- serial : 040000000001154b5ac394.

With this value for serial , I get "value is not correct" ; so I try with "1" for example, then submit :

Exception Type: Error
Exception Value:
[('PEM routines', 'PEM_read_bio', 'no start line')]
Exception Location: /usr/local/lib/python2.7/site-packages/OpenSSL/_util.py in exception_from_error_queue, line 48

Do you have any idea ?

Thanks in advance,
TheLLFF.
 
Mirfster

Mirfster

Doesn't know what he's talking about
Joined
Oct 2, 2015
Messages
3,215
Um, don't think you want to be posting your Cert and SN...
 
D

dlavigne

Guest
What is the FreeNAS build version (from System -> Information)?
 
danb35

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
thellff said:
No worries, thsi is just a Root Certificate, as you can find in IE or Firefox, published by the CA. Thanks.
Click to expand...
...and even if it were your personal cert and serial, there'd be no harm in posting it--it's designed to be made public.

But with that said, I've never understood the purpose of importing a CA into FreeNAS--what capability is that supposed to add?
 
T

thellff

Cadet
Joined
Aug 19, 2016
Messages
6
danb35 said:
...and even if it were your personal cert and serial, there'd be no harm in posting it--it's designed to be made public.

But with that said, I've never understood the purpose of importing a CA into FreeNAS--what capability is that supposed to add?
Click to expand...

When you import Root CA certificate, with or without Intermediate CA certificate, you can chain you personal (never give your private cert and key !) certificate, which can be trusted by the all chain.

For example, you buy www.trump.com certificate for your Webserver at Globalsign.
Then Globalsign will chain this certificate with is Root CA certificate.
When you go to https://www.trump.com, then the certificate published by your site is OK, only if Root CA certificate is in the "trusted root certificates" of your browser. If not, you get en error "no valid certificate", the case when you have to click "OK, bypass", etc.
So it's the same for my Freenas.
My personal certificate is from Globalsign, I have to put Root CA certificate into FreeNAS.

Thanks.
 
Last edited by a moderator:
danb35

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
The key is absolutely private, and shouldn't be shared with anyone. Anyone can get my cert by going to my website, or by searching crt.sh, or probably other sources as well, so I don't see any reason to protect it. After all, that's the point of public-key crypto.

But if your cert is issued by a trusted CA, you shouldn't ever need to serve your CA's root cert, and the intermediate CA cert (if any) is chained together with your server's cert and entered in the certificate field. With Let's Encrypt (which is what I use), you'd enter the contents of fullchain.pem in the Certificate field. See http://doc.freenas.org/9.10/system.html#certificates.

From TFM (which I probably should have read before raising the question above), the only purpose of either importing or creating a CA in FreeNAS is if you want the FreeNAS box itself to act as the CA--i.e., to issue certificates from the FreeNAS box. Since there's no way that GlobalSign will give you their private key (and they probably couldn't even if they wanted to, since it should be in an HSM), you can't use this.
 
T

thellff

Cadet
Joined
Aug 19, 2016
Messages
6
I'm OK with you.
But if I want to import a CA certificate, I do not need the Private Key : that's why it's not mandatory in sectin 5.9.1 of you link.
I'm sure we can import a CA certificate "just with certificate and serial number", but it does not work.
 
Last edited by a moderator:
danb35

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
There are three separate questions here:
  1. What does importing a CA accomplish?
  2. Why do you want to import the CA's root certificate?
  3. Why is FreeNAS giving an error importing this particular CA root certificate?
As to the first question, per TFM, the only use for the CAs in the web GUI is to create certificates. If that's the case--if the CAs that appear here aren't used for anything else--then the private key must be entered for this to work. The fact that the private key is optional is therefore a bug, because the CA can't be used for its intended purpose without the private key. If that isn't the case--if the CAs are used for other purposes--it's a bug in the docs.

On the second question, it sounds like you're wanting to do this to correct trust issues with your browser. This won't do what you're looking for. To view an HTTPS site without certificate warnings, the site's certificate must chain back to a root certificate trusted by the browser--it isn't enough to have a root certificate provided by the remote server (if you could do that, you'd completely destroy the concept of trusted CAs). Thus, even if importing the CA would result in FreeNAS serving up that cert as part of its certificate chain (which it doesn't), that would not resolve trust issues with your browser. If you're getting trust issues, you must import that root CA certificate on your client machine. Actually, you must import it on every client machine that you use to access the FreeNAS web GUI. If the root CA is already on your client machine(s), and you're still getting trust issues, the problem is almost certainly that there's an intermediate cert that you aren't serving. The way to correct that is to enter both the intermediate cert and your server's cert in the Certificate field as I discussed above.

On the third question, that looks like bug-ish behavior.
 
T

thellff

Cadet
Joined
Aug 19, 2016
Messages
6
danb35 said:
There are three separate questions here:
  1. What does importing a CA accomplish?
  2. Why do you want to import the CA's root certificate?
  3. Why is FreeNAS giving an error importing this particular CA root certificate?
As to the first question, per TFM, the only use for the CAs in the web GUI is to create certificates. If that's the case--if the CAs that appear here aren't used for anything else--then the private key must be entered for this to work. The fact that the private key is optional is therefore a bug, because the CA can't be used for its intended purpose without the private key. If that isn't the case--if the CAs are used for other purposes--it's a bug in the docs.

On the second question, it sounds like you're wanting to do this to correct trust issues with your browser. This won't do what you're looking for. To view an HTTPS site without certificate warnings, the site's certificate must chain back to a root certificate trusted by the browser--it isn't enough to have a root certificate provided by the remote server (if you could do that, you'd completely destroy the concept of trusted CAs). Thus, even if importing the CA would result in FreeNAS serving up that cert as part of its certificate chain (which it doesn't), that would not resolve trust issues with your browser. If you're getting trust issues, you must import that root CA certificate on your client machine. Actually, you must import it on every client machine that you use to access the FreeNAS web GUI. If the root CA is already on your client machine(s), and you're still getting trust issues, the problem is almost certainly that there's an intermediate cert that you aren't serving. The way to correct that is to enter both the intermediate cert and your server's cert in the Certificate field as I discussed above.

On the third question, that looks like bug-ish behavior.
Click to expand...

You are absolutely right for all questions.
This is a misunderstood from me.
I just have to import my own certificate, then link it for SSL purposes ... and my web browser will do the job with certificate stores.
Thanks !
 
Status
Not open for further replies.

Similar threads

D
  • Locked
SOLVED Update server could not be reached (certificate verify failed?)
2
Replies
22
Views
21K
jgreco
jgreco
H
11.2-U4 - upgrade server contact failed due to "certificate verify failed" (proxy)
Replies
1
Views
1K
Fredda
Fredda
dredhorse
  • Locked
Certificate Questions and Issues
Replies
2
Views
2K
dredhorse
dredhorse
M
Upgrading 11.1u7 to 11.2u7 breaks SSL cert?
Replies
4
Views
1K
pschatz100
P
K
  • Locked
How to import a SSL certificate signed by a CA?
2
Replies
21
Views
34K
BloodThunder
B
Top