Project

General

Profile

Bug #24212

Allow import of encrypted CA key

Added by Alessandro Segala over 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Nice to have
Assignee:
Nikola Gigic
Category:
GUI (new)
Target version:
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
No
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

This worked on 9.3 when I did it last. Trying to import my root CA certificate and key, which is encrypted. I type the passphrase (and I know it's correct) and the import fails every time with the error "Incorrect passphrase".


Related issues

Is duplicate of FreeNAS - Bug #11585: No check if SSL certificate and private key matchClosed: Duplicate2015-09-19
Is duplicate of FreeNAS - Bug #25304: Invalid SSL certificate prevents nginx from starting and makes WebGUI inaccessibleClosed: Duplicate2017-07-26

Associated revisions

Revision fcf76aeb (diff)
Added by Nikola Gigic over 1 year ago

fix(gui): Importing an encrypted CA key fails with "incorrect passphrase"
Ticket: #24212

Revision b5b5e23f (diff)
Added by Nikola Gigic over 1 year ago

fix(gui): Importing an encrypted CA key fails with "incorrect passphrase"

Ticket: #24212

Revision 47a3fe16 (diff)
Added by Nikola Gigic over 1 year ago

fix(gui): Importing an encrypted CA key fails with "incorrect passphrase"

Ticket: #24212

Revision fa4ee13b (diff)
Added by Nikola Gigic over 1 year ago

fix(gui): Importing an encrypted CA key fails with "incorrect passphrase" (#298)

Ticket: #24212

Revision 8812f6c3 (diff)
Added by Nikola Gigic over 1 year ago

fix(gui): Importing an encrypted CA key fails with "incorrect passphrase"
Ticket: #24212

Revision ac4a58a0 (diff)
Added by Nikola Gigic over 1 year ago

fix(gui): Importing an encrypted CA key fails with "incorrect passphrase" (#301)

Ticket: #24212

Revision ef0d6085 (diff)
Added by Nikola Gigic about 1 year ago

fix(gui): Importing an encrypted CA key fails with "incorrect passphrase" (#298)

Ticket: #24212

Revision dc6b7c3e (diff)
Added by Nikola Gigic about 1 year ago

fix(gui): Importing an encrypted CA key fails with "incorrect passphrase" (#301)

Ticket: #24212

History

#1 Updated by Alessandro Segala over 1 year ago

As a note,password's charset is [a-zA-Z0-9], so no special characters that could cause issues with encoding.

#2 Updated by Suraj Ravichandran over 1 year ago

  • Status changed from Unscreened to Screened
  • Priority changed from No priority to Nice to have
  • Target version set to 11.1

#3 Updated by Alessandro Segala over 1 year ago

Why is this scheduled for 11.1? This is blocking a critical feature and it was working before... Not really a "nice to have" :)

#4 Updated by Suraj Ravichandran over 1 year ago

I had not implemented passphrase CAs and as far as I recollect, honestly I do not see the point of passphrase encrypted CAs.

For example, our UI does not provide you with a way to enter the passphrase when creating an end-point cert from this passphrase encrypted CA.

If I am wrong in my hypothesis above, please correct me. But, unless my manager (Kris) instructs me otherwise I will not raise this priority level and/or expedite its delivery date.

Also, while we are here please elaborate as to how it was working for you before and what were you using this CA for: LDAP or issuing a new cert or ...

So, yes, since about a max of 2% the freenas community used this (if it ever worked that is) I say this is a Nice to Have.

I hope you understand.

Thanks and Regards,

Suraj Ravichandran

#5 Updated by Alessandro Segala over 1 year ago

Thanks for commenting. I would suggest removing the feature completely from the UI, then, as it doesn't really look good to have something there that doesn't work.

I have my own CA, and I use it to connect to other servers in the network and to generate SSL certificates (e.g. for the web UI). Before it was... just working: I'd copy/paste my public and private keys, then type the passphrase and it would work. That's why I'm saying it's a bug...

#6 Updated by Suraj Ravichandran over 1 year ago

So, to better assess this situation, you had imported a passphrase encrypted CA and then issued an end-point cert from it which you used for the webUI and it worked?

If this is the case then there might be something I need to go check and verify to see as to how that encrypted CA was able to sign the webui cert without being prompted for the passphrase.

Also, yes I have indeed thought of nuking this from the UI, but the contemplation of whether to nuke it or somehow fix it remained and thus this stayed as it is.

#7 Updated by Alessandro Segala over 1 year ago

"You had imported a passphrase encrypted CA and then issued an end-point cert from it which you used for the webUI and it worked?"

Correct. I do not recall if I had to type a passphrase (it's been a long time), but I do not believe so.

#8 Updated by Dale Stevens over 1 year ago

I wanted to add a +1 to this. I'm having the same exact issue here.

I don't understand why we'd be prompted for a password if this feature is not supported. Now I have to go generate another cert that is unencrypted. I've already generated two because I assumed the error was on my part and I'd fat-fingered the password. Not the case.

Thanks for considering this a priority!

~ Dale

Edit: For posterity, I just removed the passphrase from the key.

openssl rsa -in ~/MyEncrypted.key out ~/MyUnencrypted.key

#9 Updated by Tobias Müllauer over 1 year ago

Same her i canot get this around. I put in the password that cert may have but it say it incorect.

#10 Updated by Dru Lavigne over 1 year ago

  • Assignee changed from Suraj Ravichandran to William Grzybowski

William: please load balance between Vladimir and Nikola.

#11 Updated by William Grzybowski over 1 year ago

  • Category changed from Middleware to 2
  • Status changed from Screened to Unscreened
  • Assignee changed from William Grzybowski to Nikola Gigic

#12 Updated by Nikola Gigic over 1 year ago

  • Status changed from Unscreened to Screened

#13 Updated by William Grzybowski over 1 year ago

  • Status changed from Screened to Ready For Release

#14 Updated by Dru Lavigne over 1 year ago

  • Subject changed from Importing an encrypted CA key fails with "incorrect passphrase" to Allow import of encrypted CA key

#15 Updated by Dru Lavigne about 1 year ago

  • Is duplicate of Bug #11585: No check if SSL certificate and private key match added

#16 Updated by Dru Lavigne about 1 year ago

  • Is duplicate of Bug #25304: Invalid SSL certificate prevents nginx from starting and makes WebGUI inaccessible added

#17 Updated by Dru Lavigne about 1 year ago

  • Target version changed from 11.1 to 11.1-BETA1

#18 Updated by Dru Lavigne about 1 year ago

  • Status changed from Ready For Release to Resolved

#19 Updated by Bonnie Follweiler about 1 year ago

  • Needs QA changed from Yes to No
  • QA Status Test Passes FreeNAS added
  • QA Status deleted (Not Tested)

Also available in: Atom PDF