0

I want to copy my OpenVPN configuration from a client configuration file to my pfSense firewall. pfSense requires me to provide certificate and key. This is how they look like in the .ovpn configuration file:

<cert>
-----BEGIN CERTIFICATE-----
MIIBxjCCAWugAwIBAgIQSi...
...8TCu2B1Y=
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIHjME4GCSqGSIb3DQEFD...
...atxri8=
-----END ENCRYPTED PRIVATE KEY-----
</key>

pfSense does not understand the encrypted private key, so I assume I somehow need to decrypt it. Obviously OpenVPN uses a tool /etc/openvpn/easy-rsa/easyrsa to encrypt the private key. I tried decrypting it with OpenSSL (as described in this question and several other places) which does not work:

# openssl rsa -in secure.key -out plain.key
Enter pass phrase for secure.pem:
3069640768:error:0607907F:digital envelope routines:EVP_PKEY_get0_RSA:expecting an rsa key:../crypto/evp/p_lib.c:474:

Any ideas how to get a plain PEM key from that Encrypted Private Key?

(And no, I cannot import the .ovpn directly to pfSense as it is not pfSense plus)

Aileron79
  • 101
  • Why is it 'obvious' easyrsa was used? That's not at all the only way to encrypt, or create, a key (and cert). And your private key has a length prefix far too small to contain an RSA key -- it **looks like ECDSA or maybe EdDSA**. Try `openssl pkey -in secure.key -out plain.key`. Maybe add `-text` to get a decode in addition to the decrypted PEM. Or do `openssl x509 -text` on the _cert_ to see what kind of key it contains; the private key should match that. . – dave_thompson_085 Apr 21 '22 at 02:16
  • Well, it was obvious to me when I went through some OpenVPN documents like this https://openvpn.net/community-resources/rsa-key-management/ but I might have been wrong. However, pkey worked like a charm - I was quite sure I tried that yesterday, but I must have missed something. Thanks a lot for pointing this out. Would accept this as correct answer. – Aileron79 Apr 21 '22 at 08:25

0 Answers0