The web GUI uses a default auto-generated cert, which (as expected)
causes browser errors.
An improved aproach would be to generate a CA, a key, and to load the CA
into the browser. That way I can be assured to not accidentally OK the
wrong connection, and it tests my understanding of the cert system in
pfsense.
I can't get it to work quite the way I prefer:
* accept all XXX.site host names
* accept the IP address
* accept any IP address in the subnet
When creating the certs, only the CN field seems to have some
significance, and then only for the server cert. For the CA, any free
text is accepted. For the server cert I select "type: server", but CNs
of
*.site
*.pfsense.site
pfsense.site
Only the CN of "pfsense.site" makes the browser not complain with
https://pfsense.site/, but https://10.x.x.x/ still gives an error.
Entering an alternative name of "10.x.x.x" when creating the server cert
does nothing.
I get the same results with firefox and konqueror, however
openssl s_client -connect .. -verify -CApath /etc/ssl ..
does not complain (I installed the CA cert into /etc/ssl/certs/).
Other websites seem to have no problems with wildcard name certificates
valid for "*.site".
What exactly should I be putting into the pfsense cert manager to get a
similar effect? And make the browser accept the IP address(es) too?
pfsense 2.1.3
Thanks muchly,
Volker
--
Volker Kuhlmann
http://volker.top.geek.nz/ Please do not CC list postings to me.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list
