Managing Certificates on pfSense¶
pfSense includes a central Certificate Manager under System > Cert Manager.
This central Certificate Management takes the place of several other locations inside pfSense which used to require certificates be entered directly into their configurations, such as for HTTPS SSL access to the WebGUI, OpenVPN PKI Certificate Management, and IPsec Certificate management.
Certificates are manage on the Certificates tab.
The certificates and keys may also be downloaded from this list view:
|:||Exports the certificate file|
|:||Export the private key for this certificate|
|:||Generates a PKCS#12
A certificate may be added using the following Methods:
- Import an existing Certificate by pasting in the certificate and private key
- Create an internal Certificate using a Certificate Authority defined on the CAs tab by choosing the appropriate CA and filling out the form
- Create a Certificate Signing Request (CSR) for use with an external CA
Certificate Revocation Lists¶
Certificate Revocation Lists (CRLs) control which certificates are valid for a given CA. If a Certificate becomes compromised in some way, or is invalidated, it can be added to a CRL, and that CRL may be selected for use by an OpenVPN server, and then an OpenVPN client using that certificate will no longer be allowed to connect.
Certificate Revocation Lists are managed from the Certificate Revocation tab.
First, add a new CRL for a given CA (). A existing CRL may be imported an CRL or a new CRL may be created. Imported CRLs cannot be altered, as there is no way to add additional certificates. If a new CRL is being created, it may be edited and certificates may be added to it for revocation.
Finally, the CRL can be chosen for use by an OpenVPN server instance (VPN > OpenVPN). The CA must be the same for the OpenVPN Server and the CRL.
When a CRL is updated, the OpenVPN server will automatically pick up the changes.