CSR Import - Should Private Key Be Mandatory?

[TheFluffyOne]

I've been operating a CA for my internal network for years just using the openssl commands on an Ubuntu server and was looking around for a UI when I realised TrueNAS Scale has all the functions I need.

My initial experiments have been very positive, but something doesn't seem right when trying to import a CSR as it's asking for the private key. The CSR has already been signed with the private key and the signing process doesn't normally need it. TrueNAS, however, won't let me add the CSR without the private key.

For requests I've generated myself this isn't such a big deal as I have the private key to hand, but HP ILO for example doesn't provide any way to get the private key.

Is there a reason the private key is mandatory when importing an already-signed CSR?
EDIT: To clarify, that's a CSR that has already been signed with the server's private key, not signed by the CA!

 

[Samuel Tai]

Yes, this is mandatory, to validate the CSR.

 

[TheFluffyOne]

Validate in what way, though? The signature can be checked with the public key. And I'm certain it's not normal to provide your private key when passing a CSR to a CA. Using openssl, the private key is only used to sign the CSR prior to passing to the CA; when importing an existing CSR into TrueNAS this step has already been completed, so I'm not seeing what TrueNAS needs it for.

 

[Samuel Tai]

The private key isn't passed to the CA, but TrueNAS will need it once it receives the cert from the CA.

 

[danb35]

The private key isn't passed to the CA, but TrueNAS will need it once it receives the cert from the CA.

What? OP's wanting to use the NAS as the CA--a feature it (badly) supports. He's quite right that there's no legitimate reason for the CA to need the corresponding private key--that's the entire point of a CSR.

...and as I step through the UI, OP's right--you must enter the private key in order to import a CSR. Completely stupid and broken design.

 

[danb35]

I realised TrueNAS Scale has all the functions I need.

Not in a usable state, sadly, due to some bizarre design decisions on iX' part. Leaving aside the question of why a NAS includes a CA (I don't see any real reason it should), if it does, it should do it well--and it just doesn't.

See:

[NAS-121389] - iXsystems TrueNAS Jira

ixsystems.atlassian.net

 

[TheFluffyOne]

Not in a usable state, sadly, due to some bizarre design decisions on iX' part. Leaving aside the question of why a NAS includes a CA (I don't see any real reason it should), if it does, it should do it well--and it just doesn't.

Agree that it's an odd inclusion, but given the complexity of some of the other cert management UIs (e.g. OpenXPKI) I thought it was a welcome one, especially as it's built into something I'm already using! As you say, though, it doesn't work correctly at the moment. Thanks for raising the bug in Jira; I'll keep an eye on that.

 

[danb35]

There's a lot of weirdness in that part of the UI--the fact that they make you create a CSR (with all the superfluous information that's just going to be stripped out of the cert anyway) in order to obtain a cert from Let's Encrypt is at least as baffling.