CA specific pki import issue


I’m in the process of replacing my pfSense with VyOS (which is a very interesting discovery).

I’m gradually migrating each element but I’m stuck on a particular CA that I can’t import. It’s my company’s CA for an IPSec tunnel. I use it on several pfSense applications without any problem, and for other tools as well.

I’ve also been able to import other CAs on VyOS without any problem.

My version: VyOS 1.4-rolling-202305300317

My command: set pki ca 'MY_CA_NAME' certificate 'MII................nw=='

The error only occurs at commit time:

Traceback (most recent call last):
  File "/usr/libexec/vyos/conf_mode/", line 303, in <module>
  File "/usr/libexec/vyos/conf_mode/", line 197, in verify
    if not is_valid_ca_certificate(ca_conf['certificate']):
  File "/usr/libexec/vyos/conf_mode/", line 169, in is_valid_ca_certificate
    return is_ca_certificate(cert)
  File "/usr/lib/python3/dist-packages/vyos/", line 301, in is_ca_certificate
    ext = cert.extensions.get_extension_for_oid(ExtensionOID.BASIC_CONSTRAINTS)
ValueError: error parsing asn1 value: ParseError { kind: InvalidValue }

The few differences I’ve noticed between a working CA and this one, though there’s probably no connection:

  • This one uses RSA-SHA1 signature digest, while a functional one uses RSA-SHA256, for example.
  • On the problematic certificate, the DN: is empty.

Thank you for your help!

Though the output is pretty ugly and should probably be caught and handled nicer, I think whatever barfs on your cert is the PyCa (python-cryptography) parser. The parser is known to cough on misconfigured OIDs that contain characters that are not properly defined unicode. Do you have any umlauts in any of the OIDs?

Hi @Netboy3,

I hadn’t thought of that. Checking the certificate, I don’t see an umlaut but I can see an “è” in the Issuer ST and the Subject ST. That could be the problem.

Unfortunately, I can’t change these values as the CA doesn’t belong to me.