Reissue certificate picks wrong key-type #8338
Comments
|
Unfortunately the exact type doesn't seem to be a part of openssl_x509_parse(), which means we can't map it back to the initial choices. If we could map it reliably, I wouldn't mind implementing it. (It's a nice to have feature) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug
Testing the reissue and replace certificate option on 25.1 and for some reason the key-type and the digest algorithm seem to switch back to, I guess, a default rsa-2048-sha256 while the original certificate was secp256r1-sha384. This holds both for the server type and the client type reissuing. The intermediate-ca and root-ca both have the same secp384r1-sha384 created internally, if that matters (don't think so).
Tip: to validate your setup was working with the previous version, use opnsense-revert (https://docs.opnsense.org/manual/opnsense_tools.html#opnsense-revert)
To Reproduce
Create root-ca and intermediate-ca with secp256r1-sha384 and issue a server cert with secp256r1-sha384. Next try to reissue the created server cert. Settings will be rsa-2048-sha256 while the original was secp256r1-sha384.
Expected behavior
Reissue the cert with the exact same key-type and digest algorithm with which it was issued originally before trying to reissue it.
Describe alternatives you considered
None
Screenshots
Relevant log files
None
Additional context
None
Environment
Software version used and hardware type if relevant, e.g.:
OPNsense 25.1-amd64
AMD Ryzen Embedded V1500B (DEC750)
The text was updated successfully, but these errors were encountered: