Certificate Authority Management

Certificate Authorities (CAs) are managed from System > Cert Manager, on the CAs tab. From this screen CAs may be added, edited, exported, or deleted.

Create a new Certificate Authority

To create a new CA, start the process as follows:

  • Navigate to System > Cert Manager on the CAs tab.
  • Click Add to create a new a CA.
  • Enter a Descriptive name for the CA. This is used as a label for this CA throughout the GUI.
  • Select the Method that best suits how the CA will be generated. These options and further instructions are in the corresponding sections below:
    • Create an Internal Certificate Authority
    • Import an Existing Certificate Authority
    • Create an Intermediate Certificate Authority

Create an Internal Certificate Authority

The most common Method used from here is to Create an Internal Certificate Authority. This will make a new root CA based on information entered on this page.

  • Select the Key length to choose how “strong” the CA is in terms of encryption. The longer the key, the more secure it is. However, longer keys can take more CPU time to process, so it isn’t always wise to use the maximum value. The default value of 2048 is a good balance.

  • Select a Digest Algorithm from the supplied list. The current best practice is to use an algorithm stronger than SHA1 where possible. SHA256 is a good choice.

    Note

    Some older or less sophisticated equipment, such as VPN-enabled VoIP handsets may only support SHA1 for the Digest Algorithm. Consult device documentation for specifics.

  • Enter a value for Lifetime to specify the number of days for which the CA will be valid. The duration depends on personal preferences and site policies. Changing the CA frequently is more secure, but it is also a management headache as it would require reissuing new certificates when the CA expires. By default the GUI suggests using 3650 days, which is approximately 10 years.

  • Enter values for the Distinguished name section for personalized parameters in the CA. These are typically filled in with an organization’s information, or in the case of an individual, personal information. This information is mostly cosmetic, and used to verify the accuracy of the CA, and to distinguish one CA from another. Punctuation and special characters must not be used.

    • Select the Country Code from the list. This is the ISO-recognized country code, not a hostname top-level domain.
    • Enter the State or Province fully spelled out, not abbreviated.
    • Enter the City.
    • Enter the Organization name, typically the company name.
    • Enter a valid Email Address.
    • Enter the Common Name (CN). This field is the internal name that identifies the CA. Unlike a certificate, the CN for a CA does not need to be the hostname, or anything specific. For instance, it could be called VPNCA or MyCA.

    Note

    Although it is technically valid, avoid using spaces in the CN.

  • Click Save

If errors are reported, such as invalid characters or other input problems, they will be described on the screen. Correct the errors, and attempt to Save again.

Import an Existing Certificate Authority

If an existing CA from an external source needs to be imported, it can be done by selecting the Method of Import an Existing Certificate Authority. This can be useful in two ways: One, for CAs made using another system, and two, for CAs made by others that must be trusted.

  • Enter the Certificate data for the CA. To trust a CA from another source, only the Certificate data for the CA is required. It is typically contained in a file ending with .crt or .pem. It would be plain text, and enclosed in a block such as:

    -----BEGIN CERTIFICATE-----
    [A bunch of random-looking base64-encoded data]
    -----END CERTIFICATE-----
    
  • Enter the Certificate Private Key if importing a custom external CA, or a CA that is capable of generating its own certificates and certificate revocation lists. This is typically in a file ending in .key. It would be plain text data enclosed in a block such as:

    -----BEGIN RSA PRIVATE KEY-----
    [A bunch of random-looking base64-encoded data]
    -----END RSA PRIVATE KEY-----
    
  • Enter the Serial for next certificate if the private key was entered. This is essential. A CA will create certificates each with a unique serial number in sequence. This value controls what the serial will be for the next certificate generated from this CA. It is essential that each certificate have a unique serial, or there will be problems later with certificate revocation. If the next serial is unknown, attempt to estimate how many certificates have been made from the CA, and then set the number high enough a collision would be unlikely.

  • Click Save

If errors are reported, such as invalid characters or other input problems, they will be described on the screen. Correct the errors, and attempt to Save again.

Importing a Chained or Nested Certificate Authority

If the CA has been signed by an intermediary and not directly by a root CA, it may be necessary to import both the root and the intermediate CA together in one entry, such as:

-----BEGIN CERTIFICATE-----
[Subordinate/Intermediate CA certificate text]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Root CA certificate text]
-----END CERTIFICATE-----

Create an Intermediate Certificate Authority

An Intermediate CA will create a new CA that is capable of generating certificates, yet depends on another CA higher above it. To create one, select Create an Intermediate Certificate Authority from the Method drop-down.

Note

The higher-level CA must already exist on pfSense (Created or imported)

  • Choose the higher-level CA to sign this CA using the Signing Certificate Authority drop-down. Only CAs with private keys present will be shown, as this is required to properly sign this new CA.
  • Fill in the remaining parameters identical to those for Create an Internal Certificate Authority.

Edit a Certificate Authority

After a CA has been added, it can be edited from the list of CAs found at System > Cert Manager on the CAs tab. To edit a CA, click the fa-pencil icon at the end of its row. The screen presented allows editing the fields as if the CA were being imported.

For information on the fields on this screen, see Import an Existing Certificate Authority. In most cases the purpose of this screen would be to correct the Serial of the CA if needed, or to add a key to an imported CA so it can be used to create and sign certificates and CRLs.

Export a Certificate Authority

From the list of CAs at System > Cert Manager on the CAs tab, the certificate and/or private key for a CA can be exported. In most cases the private key for a CA would not be exported, unless the CA is being moved to a new location or a backup is being made. When using the CA for a VPN or most other purposes, only export the certificate for the CA.

Warning

If the private key for a CA gets into the wrong hands, the other party could generate new certificates that would be considered valid against the CA.

To export the certificate for a CA, click the fa-certificate icon on the left. To export the private key for the CA, click the fa-key icon on the right. Hover the mouse pointer over the icon and a tooltip will display the action to be performed for easy confirmation. The files will download with the descriptive name of the CA as the file name, with the extension .crt for the certificate, and .key for the private key.

Remove a Certificate Authority

To remove a CA, first it must be removed from active use.

  • Check areas that can use a CA, such as OpenVPN, IPsec, and packages.
  • Remove entries utilizing the CA or select a different CA.
  • Navigate to System > Cert Manager on the CAs tab.
  • Find the CA to delete in the list.
  • Click fa-trash at the end of the row for the CA.
  • Click OK on the confirmation dialog.

If an error appears, follow the on-screen instructions to correct the problem and then try again.