RE: [pfSense Support] Certificate
Thank you. That answers my question. Dwane From: Carlos Vicente [mailto:cjpvice...@gmail.com] Sent: Tuesday, June 21, 2011 11:36 AM To: support@pfsense.com Subject: Re: [pfSense Support] Certificate You can create 2048 bits certificates (OpenVPN), all you need is to change that specific line on the vars file before creating the certificates On Tue, Jun 21, 2011 at 4:54 PM, Atkins, Dwane P atki...@uthscsa.edumailto:atki...@uthscsa.edu wrote: Is PfSense Version 1.2.3 capable of handling 2048 bit certificate? Or does it need to be 1024 bit? Dwane -- * http://www.sebastiaoguerra.com http://www.atelierdamoto.com http://www.blocoa3.comhttp://www.blocoa3.com/ -- Este e-mail e quaisquer ficheiros a ele anexados são confidenciais e destinados, exclusivamente, à pessoa ou entidade a quem foi endereçado. Se recebeu este e-mail por erro, por favor, contacte-nos. Obrigado. This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify us. Antes de imprimir este e-mail pense se necessita mesmo de o fazer
RE: [pfSense Support] Certificate Errors (Safari and Internet Explorer) using GoDaddy Wildcard SSL Certificates for Captive Portal SSL Login Page
Merul, Thanks for your assistance and config sample. The SSL certs now work on Firefox, Safari and IE. Had to load some shellcmd lines in the XML to kill all lighttpd processes and restart with the correct ssl conf file...since any reboot of pfSense overwrites all the conf files. Thanks again. -Jon From: Merul Patel [mailto:merul.pa...@gmail.com] Sent: Friday, January 22, 2010 1:29 AM To: support@pfsense.com Subject: Re: [pfSense Support] Certificate Errors (Safari and Internet Explorer) using GoDaddy Wildcard SSL Certificates for Captive Portal SSL Login Page On 21 Jan 2010, at 22:14, Tancinco, Jon wrote: Thanks for your help Lyle. I've seen this solution... SSLEngine On SSLCertificateFile /etc/httpd/ssl/*.serverdensity.com.crt SSLCertificateKeyFile /etc/httpd/ssl/*.serverdensity.com.key SSLCertificateChainFile /etc/httpd/ssl/gd_bundle.crt But since pfSense uses lighttpd, I don't know how to add this line. And it get's overwritten by the xml config file during reboot. -Jon Jon, I use Lighttpd for other production sites and also use GoDaddy for their SSL certs. Here's the relevant section from my lighttpd config $SERVER[socket] == XXX.XXX.XXX.XXX:443 { ssl.engine = enable, ssl.pemfile = /etc/apache2/ssl/DOMAIN.ucc.pem ssl.ca-file = /etc/apache2/ssl/gd_intermediate_bundle.crt } BR Merul
Re: [pfSense Support] Certificate Errors (Safari and Internet Explorer) using GoDaddy Wildcard SSL Certificates for Captive Portal SSL Login Page
On 21 Jan 2010, at 22:14, Tancinco, Jon wrote: Thanks for your help Lyle. I’ve seen this solution... SSLEngine On SSLCertificateFile /etc/httpd/ssl/*.serverdensity.com.crt SSLCertificateKeyFile /etc/httpd/ssl/*.serverdensity.com.key SSLCertificateChainFile /etc/httpd/ssl/gd_bundle.crt But since pfSense uses lighttpd, I don’t know how to add this line. And it get’s overwritten by the xml config file during reboot. -Jon Jon, I use Lighttpd for other production sites and also use GoDaddy for their SSL certs. Here's the relevant section from my lighttpd config $SERVER[socket] == XXX.XXX.XXX.XXX:443 { ssl.engine = enable, ssl.pemfile = /etc/apache2/ssl/DOMAIN.ucc.pem ssl.ca-file = /etc/apache2/ssl/gd_intermediate_bundle.crt } BR Merul
Re: [pfSense Support] Certificate Errors (Safari and Internet Explorer) using GoDaddy Wildcard SSL Certificates for Captive Portal SSL Login Page
On Thu, Jan 21, 2010 at 3:58 PM, Chris Buechler cbuech...@gmail.com wrote: That's a problem with the cert. That means the CA that signed your cert isn't trusted by those browsers. That's what you get at times with cut rate CAs like Godaddy, though that's where we get our certs and I haven't seen any such issues on ours, I have on other certs I've gotten from Godaddy in the past. I would contact them and complain, any cert you pay for should be recognized by all the major browsers. I thought I might correct this misconception about why certificate chains exist. GoDaddy and other CAs have a master certificate which is installed in browsers. If they would use this master certificate to sign regular certificates and it would be compromised, they would need to have the certificate removed from everywhere it is installed (not an simple task). Instead, they create several other certificates and use those to generate regular certificates. Then, if there is a problem, they can revoke the sub-certificate. So your browser almost certainly has the GoDaddy root certificate installed, it just does not know the chain. The way I solved this problem (I get certs from StartSSL, and almost no one has the intermediate certificates from them) was by pasting the intermediate cert i nthe regular certificate box in the admin area. I am not sure if that is supposed to work, but I have not had any problems with it. - YK
Re: [pfSense Support] Certificate Errors (Safari and Internet Explorer) using GoDaddy Wildcard SSL Certificates for Captive Portal SSL Login Page
On Thu, Jan 21, 2010 at 3:20 PM, Tancinco, Jon tanci...@humnet.ucla.edu wrote: Hello. I’d appreciate any help in getting GoDaddy wildcard certificates for Captive Portal SSL Authentication page configured correctly for IE and Safari browsers. I have entered the certificate and private key from the pem file from GoDaddy. Currently, the authentication page loads fine on Firefox – maybe a bit slow. No SSL errors. On Safari, the authentication page comes up with “can’t verify the identity of the website”. Using IE, I get the following “There is a problem with this website’s security certificate.” error. That's a problem with the cert. That means the CA that signed your cert isn't trusted by those browsers. That's what you get at times with cut rate CAs like Godaddy, though that's where we get our certs and I haven't seen any such issues on ours, I have on other certs I've gotten from Godaddy in the past. I would contact them and complain, any cert you pay for should be recognized by all the major browsers. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Certificate Errors (Safari and Internet Explorer) using GoDaddy Wildcard SSL Certificates for Captive Portal SSL Login Page
Chris Buechler wrote: On Thu, Jan 21, 2010 at 3:20 PM, Tancinco, Jon tanci...@humnet.ucla.edu wrote: Hello. I’d appreciate any help in getting GoDaddy wildcard certificates for Captive Portal SSL Authentication page configured correctly for IE and Safari browsers. I have entered the certificate and private key from the pem file from GoDaddy. Currently, the authentication page loads fine on Firefox – maybe a bit slow. No SSL errors. On Safari, the authentication page comes up with “can’t verify the identity of the website”. Using IE, I get the following “There is a problem with this website’s security certificate.” error. That's a problem with the cert. That means the CA that signed your cert isn't trusted by those browsers. That's what you get at times with cut rate CAs like Godaddy, though that's where we get our certs and I haven't seen any such issues on ours, I have on other certs I've gotten from Godaddy in the past. I would contact them and complain, any cert you pay for should be recognized by all the major browsers. We have a partnership with Network Solutions for certs from them and for websites, there is a way to include intermediate CA certs to make the certs from NetSol valid for all browsers. SSLCertificateFile /etc/httpd/conf/ssl/name of cert file.crt SSLCertificateKeyFile /etc/httpd/conf/ssl/name of key.key SSLCertificateChainFile /etc/httpd/conf/ssl/inter_ca.crt This last file is what does the magic for a webserver running Apache. I don't know all the ins and outs of this, but this last file is the one that completes the chain from the site cert to the CA certs. I would bet there is something like that available for the GoDaddy certs, but if pfSense has a way to include that I don't know. Here's the link to NetSol's docs on this issue: http://www.networksolutions.com/support/installing-ssl-certificate-topics/ (click on the big green plus symbol on this screen) Here's a link at GoDaddy on their intermediate CA certs: http://help.godaddy.com/article/869 Lyle Giese LCR Computer Services, Inc.
RE: [pfSense Support] Certificate Errors (Safari and Internet Explorer) using GoDaddy Wildcard SSL Certificates for Captive Portal SSL Login Page
Thanks for your help Lyle. I've seen this solution... SSLEngine On SSLCertificateFile /etc/httpd/ssl/*.serverdensity.com.crt SSLCertificateKeyFile /etc/httpd/ssl/*.serverdensity.com.key SSLCertificateChainFile /etc/httpd/ssl/gd_bundle.crt But since pfSense uses lighttpd, I don't know how to add this line. And it get's overwritten by the xml config file during reboot. -Jon From: Lyle Giese [mailto:l...@lcrcomputer.net] Sent: Thursday, January 21, 2010 1:16 PM To: support@pfsense.com Subject: Re: [pfSense Support] Certificate Errors (Safari and Internet Explorer) using GoDaddy Wildcard SSL Certificates for Captive Portal SSL Login Page Chris Buechler wrote: On Thu, Jan 21, 2010 at 3:20 PM, Tancinco, Jon tanci...@humnet.ucla.edu mailto:tanci...@humnet.ucla.edu wrote: Hello. I'd appreciate any help in getting GoDaddy wildcard certificates for Captive Portal SSL Authentication page configured correctly for IE and Safari browsers. I have entered the certificate and private key from the pem file from GoDaddy. Currently, the authentication page loads fine on Firefox - maybe a bit slow. No SSL errors. On Safari, the authentication page comes up with can't verify the identity of the website. Using IE, I get the following There is a problem with this website's security certificate. error. That's a problem with the cert. That means the CA that signed your cert isn't trusted by those browsers. That's what you get at times with cut rate CAs like Godaddy, though that's where we get our certs and I haven't seen any such issues on ours, I have on other certs I've gotten from Godaddy in the past. I would contact them and complain, any cert you pay for should be recognized by all the major browsers. We have a partnership with Network Solutions for certs from them and for websites, there is a way to include intermediate CA certs to make the certs from NetSol valid for all browsers. SSLCertificateFile /etc/httpd/conf/ssl/name of cert file.crt SSLCertificateKeyFile /etc/httpd/conf/ssl/name of key.key SSLCertificateChainFile /etc/httpd/conf/ssl/inter_ca.crt This last file is what does the magic for a webserver running Apache. I don't know all the ins and outs of this, but this last file is the one that completes the chain from the site cert to the CA certs. I would bet there is something like that available for the GoDaddy certs, but if pfSense has a way to include that I don't know. Here's the link to NetSol's docs on this issue: http://www.networksolutions.com/support/installing-ssl-certificate-topic s/ (click on the big green plus symbol on this screen) Here's a link at GoDaddy on their intermediate CA certs: http://help.godaddy.com/article/869 Lyle Giese LCR Computer Services, Inc.
Re: [pfSense Support] Certificate Errors (Safari and Internet Explorer) using GoDaddy Wildcard SSL Certificates for Captive Portal SSL Login Page
On Thu, Jan 21, 2010 at 4:16 PM, Lyle Giese l...@lcrcomputer.net wrote: We have a partnership with Network Solutions for certs from them and for websites, there is a way to include intermediate CA certs to make the certs from NetSol valid for all browsers. Ah yes, in some cases you'll need this. You'll have to hard code it in the lighty config, check /etc/inc/services.inc. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org