Differences

This shows you the differences between two versions of the page.

--- en:utility-scripts:pfxexx [2025/03/14 16:29] – Webmaster VitaNetworks
+++ en:utility-scripts:pfxexx [2025/03/14 19:46] (current) – Webmaster VitaNetworks
@@ Line 1: / Line 1: @@
-====== pfxexx (What is this?) ======<
+====== pfxexx (What is this?) ======
-<WRAP center round todo 60%>
-todo box
-</WRAP>
 PFX exporter for OPNsense's ACME plugin's certificates. A bash script.
 ===== Background ======
 The ACME client on OPNsense has a lot of useful utilities (such as installing certificates on Synology's DSM and automated push over SSH that though doable on other systems, each user admin has to come up with their own scheme. It's not perfect, as everything-else-OPNsense, it's poorly documented but it does the job nevertheless.
@@ Line 18: / Line 13: @@
 The original idea for this was to add an automation per certificate so the process would focus only on that certificate, but there's no documentation about it (on OPNsense's documentation at least) so instead it works in bulk.
-The ACME plugin creates a random directory under ''/var/etc/acme-client/certs'' where it puts the public keys and a matching directory on ''/var/etc/acme-client/keys'' where the private keys are stored. The randomness of this directory is in part why a targeted approach couldn't be made.
+The ACME plugin creates a random directory under ''/var/etc/acme-client/certs'' where it puts the public keys and a matching directory on ''/var/etc/acme-client/keys'' where the private keys are stored. The randomness of this directory is in part why a targeted approach couldn't be made yet.
-So instead the script will list the subdirectories of ''/var/etc/acme-client/certs'' to confirm there's a ''cert.pem'' and ''chaim.pem'' in it, then search for a ''private.key'' file the private keys subdirectory. If all files are found, then it will decode the common name of the certificate and use that name to name the new file with the extension .pfx which will be placed on ''/var/etc/acme-client/pfx'' which it will protect using the password stored in the file indicated in the variable ''pfile'', by default this is: ''/var/etc/acme-client/pfiles/std''
+So instead the script will:
+. Find subdirectories of:
+.1 ''/var/etc/acme-client/certs'' where it will seek the files named:
+.1.1 ''cert.pem'' and
+.1.2 ''chain.pem''
+.2 ''/var/etc/acme-client/keys'' where it will seek the file named:
+.2.1 ''private.key''
+. If all files are found under the matching directory name, it will proceed to decode the common name (cn) value of the certificate
+. It will retrieve the passphrase stored in the file referenced by variable ''pfile'', by default it's on ''/var/etc/acme-client/pfiles/std''
+. Using the CN value, and the password from pfile; it will create a new PFX file in ''/var/etc/acme-client/pfx''
 ===== Installation =====
-There's nothing to install, except maybe bash since it's a bash script. It will fail in the default OPNsense shell, assuming the commands were run directly. Since everything is in ''/var/etc/acme-client'' it fel like the best place for it in ''/var/etc/acme-client/scripts''. However, like VyOS and pfSense, OPNsense overwrites the filesystem un updates except for a few safe places. ''/config'' on VyOS; ''/root'''' is on of them on OPNsense and pfSense.
+There's nothing to install, except maybe bash since it's a bash script. The commands in the script fail if run in OPNsense's default shell.
-You can download it straight from this page or copy and paste it on the terminal (the code is below.), to download it (assuming you'd use ''/var/etc/acme-client/scripts''':
+''/var/etc/acme-client'' is a logical location for the scripts of this kind, but much like pfSense or VyOS, OPNsense overwrites as much as it needs to during updates/upgrades except for a few safe places: ''/config'' on VyOS, ''/root'' in pfSense/OPNsense.
+You don't need to transfer files to the firewall, as out sites allow hotlinking, you can just use curl to get the script if you please. Additionally, on a non-console terminal you can paste the code (shown below). OPNsense includes the ''edit'' and ''vi'' text editors. If you've never used ''vi''/''vim'', stick to ''edit''.
+Assuming you'll be downloading to ''/var/etc/acme-client/scripts'', you need to:
 . Create a save location if it doesn't already exist:
   mkdir -p ''/var/etc/acme-client/scripts''
-. Download
+  The command above does nothing if the directory already exists.
-  curl -o <destination-filename(-and-path)> <source-URL> e.g;
+. Download:
-  curl -o /var/etc/acme-client/scripts/pfxexx https://ref.vitanetworks.link/_export/code/en/utility-scripts/pfxexx?codeblock=0
+curl -o <destination-filename(-and-path)> <source-URL> e.g;
+<code bash>
+curl -o /var/etc/acme-client/scripts/pfxexx https://ref.vitanetworks.link/_export/code/en/utility-scripts/pfxexx?codeblock=0
+</code>
 ===== Options/Syntax =====
@@ Line 47: / Line 58: @@
 ===== Requirements =====
-The script must be edited or at least review to verify the variables are correct at least reviewed edite hardcoded with the variab
+The script must be edited or at least review to verify the variables are correct at least reviewed edite hard-coded with the variab
- ======
-<code bash pfxexx>
+<code bash [enable_line_numbers="true"] pfxexx>
 #!/usr/bin/env bash