Hello,
I’m in the process of replacing my pfSense with VyOS (which is a very interesting discovery).
I’m gradually migrating each element but I’m stuck on a particular CA that I can’t import. It’s my company’s CA for an IPSec tunnel. I use it on several pfSense applications without any problem, and for other tools as well.
I’ve also been able to import other CAs on VyOS without any problem.
My version: VyOS 1.4-rolling-202305300317
My command: set pki ca 'MY_CA_NAME' certificate 'MII................nw=='
The error only occurs at commit time:
Traceback (most recent call last):
File "/usr/libexec/vyos/conf_mode/pki.py", line 303, in <module>
verify(c)
File "/usr/libexec/vyos/conf_mode/pki.py", line 197, in verify
if not is_valid_ca_certificate(ca_conf['certificate']):
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/libexec/vyos/conf_mode/pki.py", line 169, in is_valid_ca_certificate
return is_ca_certificate(cert)
^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/vyos/pki.py", line 301, in is_ca_certificate
ext = cert.extensions.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS)
^^^^^^^^^^^^^^^
ValueError: error parsing asn1 value: ParseError { kind: InvalidValue }
The few differences I’ve noticed between a working CA and this one, though there’s probably no connection:
- This one uses RSA-SHA1 signature digest, while a functional one uses RSA-SHA256, for example.
- On the problematic certificate, the DN: is empty.
Thank you for your help!