SOLVED Internal CA not working

[shmixx]

I was excited to find the new CA/Certificate management section in the interface as I was just about to setup my own internal CA system. I created a new Internal CA, and then subsequently created a new certificate and used this new CA as the Signing CA.

Upon properly importing this into my Mac OS X Keychain as a CA, I'm trying to visit the FreeNAS box which is using this new certificate. When navigating to the page in any browser, I'm hit with the invalid certificate error and it indicates that the CA signing it, is unknown.

Has anyone tested this, or is there further detail I can help provide to try and understand what might be missing here or why the CA is not working properly?

 

[clinta]

What browser are you testing in? Firefox does not use the OS Certificate store, and you will need to import your root CA into firefox itself. Safari should use the OSX certificate store. Chrome will trust DV certificates in the OS Store, but not EV certificates.

 

[pjc]

Did you tell the keychain to trust your new CA?

What credentials are on the certificate that's getting served -- is it from iXsystems or is it from your CA? If the former, it's still serving its self-signed cert. If the latter and you're trusting the CA and you're not using Firefox, I'm stumped.

 

[shmixx]

@clinta - I am using Safari and Chrome as my test bed. My understanding from all I've read though indicates that all apps should trust Root CA's in the OS X Keychain store. If not, at least Safari should be. No EV certificate either, as it just a basic self-signed CA and self-signed Cert.

@pjc - yes, I first tried adding the CA in with the default setting which was Always Trust for Basic x.509, then I tried adding and marking Always Trust for ALL functions, and neither was working. Yes I created a fresh CA, then created a Certificate signed by that fresh CA, and added to the Keystore on the Mac device and set it to Always Trust for the Root CA certificate. Opened in Safari, getting certificate not signed by a trusted authority, and I tried restarting the browser as well just in case something was sticking.

 

[shmixx]

So doing some more testing and digging (not at 2 in the AM) and I think perhaps this is a bug. The reasoning I've come to is that I created my own basic CA and SelfSigned certs for running my OpenVPN config. Looking at these certificates and comparing, the biggest difference seen is that the certificates that are working in this setup, have the Issuer identified properly as the CA. In the certificates being generated on FreeNAS, the issuer is listed as the same entity, not the CA. I hadn't picked this up originally.

I'm going to guess perhaps despite being asked which certificate to use for signing, the underlying process is not truly signing the certificates being generated with the CA chosen. I also tried importing my CA from OpenVPN config and creating a certificate using this as the signing CA in FreeNAS, same issue. It seems the certificates being kicked out are only self-signed certificates and are not being signed by the CA being chosen. If anyone else wants to test it out, it's pretty easy to create a CA, create a Cert using that CA, and compare the output certificate parameters without even installing on any systems. Going to file this as a bug and see where it goes.

 

[pjc]

Got it -- sounds like you tracked this down pretty well. What happens if, instead of using the built-in CA, you create your own CA-signed certificate and simply ask it to serve that?

 

[shmixx]

I didn't try that, but I'm pretty sure it would work as I'm doing that for 1 other server in my network right now (self signed with my other CA for OpenVPN). I've filed bug #6625 - https://bugs.freenas.org/issues/6625#change-28489 as a reference if anyone else is having this issue or looking for a solution, please add to this bug ticket.

Thanks for the double checking and pointers @clinta and @pjc!