Allow import of encrypted CA key
This worked on 9.3 when I did it last. Trying to import my root CA certificate and key, which is encrypted. I type the passphrase (and I know it's correct) and the import fails every time with the error "Incorrect passphrase".
#4 Updated by Suraj Ravichandran over 1 year ago
I had not implemented passphrase CAs and as far as I recollect, honestly I do not see the point of passphrase encrypted CAs.
For example, our UI does not provide you with a way to enter the passphrase when creating an end-point cert from this passphrase encrypted CA.
If I am wrong in my hypothesis above, please correct me. But, unless my manager (Kris) instructs me otherwise I will not raise this priority level and/or expedite its delivery date.
Also, while we are here please elaborate as to how it was working for you before and what were you using this CA for: LDAP or issuing a new cert or ...
So, yes, since about a max of 2% the freenas community used this (if it ever worked that is) I say this is a Nice to Have.
I hope you understand.
Thanks and Regards,
#5 Updated by Alessandro Segala over 1 year ago
Thanks for commenting. I would suggest removing the feature completely from the UI, then, as it doesn't really look good to have something there that doesn't work.
I have my own CA, and I use it to connect to other servers in the network and to generate SSL certificates (e.g. for the web UI). Before it was... just working: I'd copy/paste my public and private keys, then type the passphrase and it would work. That's why I'm saying it's a bug...
#6 Updated by Suraj Ravichandran over 1 year ago
So, to better assess this situation, you had imported a passphrase encrypted CA and then issued an end-point cert from it which you used for the webUI and it worked?
If this is the case then there might be something I need to go check and verify to see as to how that encrypted CA was able to sign the webui cert without being prompted for the passphrase.
Also, yes I have indeed thought of nuking this from the UI, but the contemplation of whether to nuke it or somehow fix it remained and thus this stayed as it is.
#8 Updated by Dale Stevens over 1 year ago
I wanted to add a +1 to this. I'm having the same exact issue here.
I don't understand why we'd be prompted for a password if this feature is not supported. Now I have to go generate another cert that is unencrypted. I've already generated two because I assumed the error was on my part and I'd fat-fingered the password. Not the case.
Thanks for considering this a priority!
Edit: For posterity, I just removed the passphrase from the key.
openssl rsa -in ~/MyEncrypted.key out ~/MyUnencrypted.key