Certificates are managed from System > Cert Manager, on the Certificates tab. From this screen Certificates may be added, edited, exported, or deleted.
Create a new Certificate¶
To create a new certificate, start the process as follows:
- Navigate to System > Cert Manager on the Certificates tab.
- Click Add to create a new certificate.
- Enter a Descriptive name for the certificate. This is used as a label for this certificate throughout the GUI.
- Select the Method that best suits how the certificate will be generated.
These options and further instructions are in the corresponding sections below:
- Import an Existing Certificate
- Create an Internal Certificate
- Create a Certificate Signing Request
Import an Existing Certificate¶
If an existing certificate from an external source needs to be imported, it can be done by selecting the Method of Import an Existing Certificate. This can be useful for certificates that have been made using another system or for certificates that have been provided by a third party.
Enter the Certificate data, this is required. It is typically contained in a file ending with .crt. It would be plain text, and enclosed in a block such as:
-----BEGIN CERTIFICATE----- [A bunch of random-looking base64-encoded data] -----END CERTIFICATE-----
Enter the Private key data which is also required. This is typically in a file ending in .key. It would be plain text data enclosed in a block such as:
-----BEGIN RSA PRIVATE KEY----- [A bunch of random-looking base64-encoded data] -----END RSA PRIVATE KEY-----
Click Save to finish the import process.
If any errors are encountered, follow the on-screen instructions to resolve them. The most common error is not pasting in the right portion of the certificate or private key. Make sure to include the entire block, including the beginning header and ending footer around the encoded data.
Create an Internal Certificate¶
The most common Method is Create an Internal Certificate. This will make a new certificate using one of the existing Certificate Authorities.
Select the Certificate Authority by which this certificate will be signed. Only a CA that has a private key present can be in this list, as the private key is required in order for the CA to sign a certificate.
Select the Key length to choose how “strong” the certificate is in terms of encryption. The longer the key, the more secure it is. However, longer keys can take more CPU time to process, so it isn’t always wise to use the maximum value. The default value of 2048 is a good balance.
Select a Digest Algorithm from the supplied list. The current best practice is to use an algorithm stronger than SHA1 where possible. SHA256 is a good choice.
Some older or less sophisticated equipment, such as VPN-enabled VoIP handsets may only support SHA1 for the Digest Algorithm. Consult device documentation for specifics.
Select a Certificate Type which matches the purpose of this certificate.
Choose Server Certificate if the certificate will be used in a VPN server or HTTPS server. This indicates inside the certificate that it may be used in a server role, and no other.
Server type certificates include Extended Key Usage attributes indicating they may be used for Server Authentication as well as the OID 220.127.116.11.18.104.22.168.2 which is used by Microsoft to signifiy that a certificate may be used as an IKE intermediate. These are required for Windows 7 and later to trust the server certificate for use with certain types of VPNs. They also are marked with a constraint indicating that they are not a CA, and have nsCertType set to “server”.
Choose User Certificate if the certificate can be used in an end-user capacity, such as a VPN client, but it cannot be used as a server. This prevents a user from using their own certificate to impersonate a server.
User type certificates include Extended Key Usage attributes indicating they may be used for client authentication. They also are marked with a constraint indicating that they are not a CA.
Choose Certificate Authority to create an intermediate CA. A certificate generated in this way will be subordinate to the chosen CA. It can create its own certificates, but the root CA must also be included when it is used. This is also known as “chaining”.
Enter a value for Lifetime to specify the number of days for which the certificate will be valid. The duration depends on personal preferences and site policies. Changing the certificate frequently is more secure, but it is also a management headache as it requires reissuing new certificates when they expire. By default the GUI suggests using 3650 days, which is approximately 10 years.
Enter values for the Distinguished name section for personalized parameters in the certificate. Most of these fields will be pre-populated with data from the CA. These are typically filled in with an organization’s information, or in the case of an individual, personal information. This information is mostly cosmetic, and used to verify the accuracy of the certificate, and to distinguish one certificate from another. Punctuation and special characters must not be used.
- Select the Country Code from the list. This is the ISO-recognized country code, not a hostname top-level domain.
- Enter the State or Province fully spelled out, not abbreviated.
- Enter the City.
- Enter the Organization name, typically the company name.
- Enter a valid Email Address.
- Enter the Common Name (CN). This field is the internal name that identifies the certificate. Unlike a CA, the CN for a certificate should be a username or hostname. For instance, it could be called VPNCert, user01, or vpnrouter.example.com.
Although it is technically valid, avoid using spaces in the CN.
Click Add to add Alternative Names if they are required. Alternative Names allow the certificate to specify multiple names that are all valid for the CN, such as two different hostnames, an additional IP address, a URL, or an e-mail address. This field may be left blank if it is not required or its purpose is unclear.
- Enter a Type for the Alternative Name. This must contain one of DNS (FQDN or Hostname), IP (IP address), URI , or email .
- Enter a Value for the Alternative Name. This field must contain an appropriately formatted value based on the Type entered.
- Click Delete at the end of the row for an unneeded Alternative Name.
- Repeat this process for each additional Alternative Name.
If errors are reported, such as invalid characters or other input problems, they will be described on the screen. Correct the errors, and attempt to Save again.
Create a Certificate Signing Request¶
Choosing a Method of Certificate Signing Request creates a new request file that can be sent into a third party CA to be signed. This would be used to obtain a certificate from a trusted root certificate authority. Once this Method has been chosen, the remaining parameters for creating this certificate are identical to those for Create an Internal Certificate.
Export a Certificate¶
From the list of certificates at System > Cert Manager on the Certificates tab, a certificate and/or its private key may be exported.
To export the certificate, click the icon. To export the private key for the certificate, click the icon. To export the CA certificate, certificate and the private key for the certificate together in a PKCS#12 file, click the icon. To confirm the proper file is being exported, hover the mouse pointer over the icon and a tooltip will display the action to be performed.
The files will download with the descriptive name of the certificate as the file name, and the extension .crt for the certificate and .key for the private key, or .p12 for a PKCS#12 file.
Remove a Certificate¶
To remove a certificate, first it must be removed from active use.
- Check areas that can use a certificate, such as the WebGUI options, OpenVPN, IPsec, and packages.
- Remove entries using the certificate, or choose another certificate.
- Navigate to System > Cert Manager on the Certificates tab.
- Locate the certificate to delete in the list
- Click at the end of the row for the certificate.
- Click OK on the confirmation dialog.
If an error appears, follow the on-screen instructions to correct the problem and then try again.
If a VPN is being used that requires user certificates, they may be created in one of several ways. The exact method depends on where the authentication for the VPN is being performed and whether or not the certificate already exists.
No Authentication or External Authentication¶
If there is no user authentication, or if the user authentication is being performed on an external server (RADIUS, LDAP, etc) then make a user certificate like any other certificate described earlier. Ensure that User Certificate is selected for the Certificate Type and set the Common Name to be the user’s username.
Local Authentication / Create Certificate When Creating a User¶
If user authentication is being performed on pfSense, the user certificate can be made inside of the User Manager.
- Navigate to System > User Manager
- Create a user. See User Management and Authentication for details.
- Fill in the Username and Password
- Select Click to create a user certificate in the User Certificates
section, which will display a simple form for creating a user certificate.
- Enter a short Descriptive Name, which can be the username or something such as Bob’s Remote Access VPN Cert.
- Choose the proper Certificate Authority for the VPN.
- Adjust the Key Length and Lifetime if desired.
- Finish any other required user details.
- Click Save
Local Authentication / Add a Certificate to an Existing User¶
To add a certificate to an existing user:
- Navigate to System > User Manager
- Click to edit the user
- Click Add under User Certificates.
- Choose options as needed available from the certificate creation process described in Create a new Certificate, or select Choose an existing certificate and then select from the Existing Certificates
For more information on adding and managing users, see User Management and Authentication.