system/settings/ssl: how to swap the default self-signed cert to a ca-signed-cert

[airflow]

Hi,

I'm having troubles installing a correctly ca-signed certificate on FreeNAS (Version 9.2.1.8).

Steps I took:

1. enable HTTP+HTTPS in settings/general. A self-signed cert is automatically generated; HTTPS access works with this cert.
2. i generated my own, ca-signed certificate. I saved it in the form of key and certificate, both Base64 encoded. The private key is encrypted with a passphrase.
3. in system/settings/ssl: I cleared all fields in this form except passphrase (where I entered the passphrase for the encrypted private key), and SSL certificate (where I entered the encrypted private key first, then the certificate, both in Base64). the error-message i got here was "You can either enter details to internally create a certificate Or You can copy paste your existing keypair and certificate into the 'ssl_certfile' filed. BUT NOT BOTH!"
4. 2nd try (in system/settings/ssl): I decrypted the private key myself. Then I cleared all fields in this form except SSL certificate, where I entered the decrypted private key first, then the certificate, both in Base64. FreeNAS rejects this with the same error-message.

The documentation is not useful here and has no further info, what FreeNAS expects. Has anybody ever used this successfully (with externally generated, correctly signed certificates)? Should I file a bug report?

Thanks,
airflow

 

[cyberjock]

To be honest, you might want to drop into IRC after 7PM PDT and see if a developer is in and ask how to make that work. :P

I haven't tried to use a CA-signed cert myself, so I can't provide any feedback. Sorry.

 

[dlavigne]

And I'm not sure whether or not it supports an encrypted key... Fortunately, the Certificate Manager in the upcoming 9.3 makes this so much easier.

 

[airflow]

Thanks for your feedback. @dlavigne: I also tried with unencrypted private keys. I didn't know that the Certificate Configuration is about to be changed in the upcoming release. In this case I will wait for that release and then try again.

Regards,
airflow

 

[dlavigne]

Yup, 9.3 allows you to create/import a CA, create/import/sign certs, and generate CSRs from within the GUI. If you have a test installation/VM to play with, it would be nice to get some feedback on a nightly to verify that it all works as expected.

 

[airflow]

I just installed the nightly build (from yesterday) into VM and tried a few of the new functions. First and foremost: Great work! It's really intuitive, with better descriptions and much more functionality. I tested two functions:

• Importing externally generated certificates: This worked fine when using unencrypted private keys. This is completely OK and sufficient to my mind, but it should be noted somewhere in the dialogue. Also, if you try it with an encrypted key, there is no error-message whatsoever from FreeNAS, instead it shows the certificate correctly in the list and it seems to the user that it worked. Switching to SSL is of course impossible and if you try to export the private key then it throws an exception. My suggestion for resolution is that the import of the certificate should fail if there is some problem with the private key and there should be an error-message notifying the user about this. A more complicated resolution would be to support encrypted private keys, of course.
• Generating CSRs, externally sign it and importing the public certificate only: This worked fine in my tests.

Some additional notes:
The description of the form-field "Common Name" says "Common Name, e.g YOUR name". I would change that to "Common Name, e.g. FQDN of your FreeNAS-box or service". Technically both is correct but for 99% percent of the users the last one would be the right choice.
Also, when having multiple certificates installed and you want to change the one used for the management via HTTPs, changes are not reflected. FreeNAS continues to use the old certificate until you switch to HTTP only and back. Perhaps this could be handled better if the certificate is changed.

Regards,
airflow

 

[dlavigne]

Great to hear it is working well!

Please create a feature request at bugs.freenas.org for your first additional note and a bug report at the same URL for your second additional note and post the issue numbers here. Hopefully that polish can make it into RELEASE.