Export UCS RootCA

pixel · February 23, 2022, 8:50am

Hi@all,

On the UCS 5.0.1 I exported the rootCA ‘ucs-root-ca.crt’ via the UMC.

I now want to import this into pfSense in order to be able to query users with the UCS-LDAP via STARTTLS. On the pfSense there are the fields under CA’s / Import:

Certificate data
Private certificate key (optional)

I can look at the certificate on the PC with all the details but which data do I have to copy into the fields?

with best
sven

pmhahn · February 23, 2022, 10:50am

Certificates can be used for 2 things:

confirm that the server you’re talking to is actually the right one and not some other one impersonating it. For this the server offers a certificate containing its FQHN and signed by a public CA. The client can verify the certificate by building a path from that certificate to one of the trusted root CAs stored on the client itself. As UCS has its own CA to build server certificates itself, this rootCA certificate must be added to the root CA store of all clients manually: on Debian based systems copy the ucs-root-ca.crt to /usr/local/share/ca-certificates/ and execute /usr/sbin/update-ca-certificates as `root.
you can use certificates for authentication instead of username and password. For that you create a private key and get a client certificate for the public key. This certificates then identifies you as yourself and you need access to your private key to proof that it is you by singing some server provided data.

When pfSense asks for Private certificate key it looks like the 2nd kind of certificate where you use certificates for authentication.
Looking at the pfSense documentation just paste the PEM encoded certificate into Certificate data and leave Private certificate key empty, as it is optional anyway.

pixel · February 23, 2022, 2:26pm

that is exactly my problem. There is a text field in the pfSense in the web UI (Certificate Data) in which I:

Insert a certificate in X.509 PEM here.

I open the certificate file on the client to view but I don’t know which part of the displayed data to copy into the text field

pmhahn · February 23, 2022, 4:42pm

Read the quoted document:

Certificate Data
The PEM-encoded certificate data for the CA.
Certificate data is typically contained in a file ending with .crt or .pem. It would be plain text, and enclosed in a block such as:
-----BEGIN CERTIFICATE-----
[A bunch of random-looking base64-encoded data]
-----END CERTIFICATE-----

So basically the full file as returned by curl http://127.0.0.1/ucs-root-ca.crt