Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
en:utility-scripts:pfxexx [2025/03/14 09:06] Webmaster VitaNetworksen:utility-scripts:pfxexx [2025/03/14 12:46] (current) Webmaster VitaNetworks
Line 4: Line 4:
  
 ===== Background ====== ===== Background ======
 +
 The ACME client on OPNsense has a lot of useful utilities (such as installing certificates on Synology's DSM and automated push over SSH that though doable on other systems, each user admin has to come up with their own scheme. It's not perfect, as everything-else-OPNsense, it's poorly documented but it does the job nevertheless. The ACME client on OPNsense has a lot of useful utilities (such as installing certificates on Synology's DSM and automated push over SSH that though doable on other systems, each user admin has to come up with their own scheme. It's not perfect, as everything-else-OPNsense, it's poorly documented but it does the job nevertheless.
  
Line 12: Line 13:
 The original idea for this was to add an automation per certificate so the process would focus only on that certificate, but there's no documentation about it (on OPNsense's documentation at least) so instead it works in bulk. The original idea for this was to add an automation per certificate so the process would focus only on that certificate, but there's no documentation about it (on OPNsense's documentation at least) so instead it works in bulk.
  
-The ACME plugin creates a random directory under ''/var/etc/acme-client/certs'' where it puts the public keys and a matching directory on ''/var/etc/acme-client/keys'' where the private keys are stored. The randomness of this directory is in part why a targeted approach couldn't be made. +The ACME plugin creates a random directory under ''/var/etc/acme-client/certs'' where it puts the public keys and a matching directory on ''/var/etc/acme-client/keys'' where the private keys are stored. The randomness of this directory is in part why a targeted approach couldn't be made yet.
- +
-So instead the script will list the subdirectories of ''/var/etc/acme-client/certs'' to confirm there's a ''cert.pem'' and ''chaim.pem'' in it, then search for a ''private.key'' file the private keys subdirectory. If all files are found, then it will decode the common name of the certificate and use that name to name the new file with the extension .pfx which will be placed on ''/var/etc/acme-client/pfx'' which it will protect using the password stored in the file indicated in the variable ''pfile'', by default this is: ''/var/etc/acme-client/pfiles/std''+
  
 +So instead the script will:
 +1. Find subdirectories of:
 +1.1 ''/var/etc/acme-client/certs'' where it will seek the files named:
 +1.1.1 ''cert.pem'' and
 +1.1.2 ''chain.pem''
 +1.2 ''/var/etc/acme-client/keys'' where it will seek the file named:
 +1.2.1 ''private.key''
 +2. If all files are found under the matching directory name, it will proceed to decode the common name (cn) value of the certificate
 +3. It will retrieve the passphrase stored in the file referenced by variable ''pfile'', by default it's on ''/var/etc/acme-client/pfiles/std''
 +4. Using the CN value, and the password from pfile; it will create a new PFX file in ''/var/etc/acme-client/pfx'' 
  
 ===== Installation ===== ===== Installation =====
- ====== 
  
 +There's nothing to install, except maybe bash since it's a bash script. The commands in the script fail if run in OPNsense's default shell.
 +
 +''/var/etc/acme-client'' is a logical location for the scripts of this kind, but much like pfSense or VyOS, OPNsense overwrites as much as it needs to during updates/upgrades except for a few safe places: ''/config'' on VyOS, ''/root'' in pfSense/OPNsense.
 +
 +You don't need to transfer files to the firewall, as out sites allow hotlinking, you can just use curl to get the script if you please. Additionally, on a non-console terminal you can paste the code (shown below). OPNsense includes the ''edit'' and ''vi'' text editors. If you've never used ''vi''/''vim'', stick to ''edit''.
 +
 +Assuming you'll be downloading to ''/var/etc/acme-client/scripts'', you need to:
 +1. Create a save location if it doesn't already exist:
 +  mkdir -p ''/var/etc/acme-client/scripts''
 +  The command above does nothing if the directory already exists.
 +2. Download:
 +curl -o <destination-filename(-and-path)> <source-URL> e.g;
 +<code bash>
 +curl -o /var/etc/acme-client/scripts/pfxexx https://ref.vitanetworks.link/_export/code/en/utility-scripts/pfxexx?codeblock=0
 +</code>
 +
 +===== Options/Syntax =====
 +
 +Neither of the only two options affect how the script works, they only affect the amount of ''stdout''.
 +
 +==== --unmute ====
 +
 +The script normally discards all output to avoid slowing down firewalls and reduce wearing of flash storage. This option eliminates the discarding of the minimal data it would otherwise output.
 +
 +==== --debug ====
 +
 +This is for testing the script itself, not so much about certificates. Pretty much a useless option for most people.
 +
 +===== Requirements =====
 +
 +The script must be edited or at least review to verify the variables are correct at least reviewed edite hard-coded with the variab
  
-<code bash pfxexx>+<code bash [enable_line_numbers="true"pfxexx>
 #!/usr/bin/env bash #!/usr/bin/env bash