pfSense: Generate a SSL Certificate for HTTPS on your pfSense

If you are new to pfSense you probably recognized that you don’t get a secure connection to your Firewall out of the box. I show you step by step how to Generate an SSL Certificate for HTTPS on your pfSense firewall.

You want a secure connection to your firewall. We can achieve this with a few (more or less) simple steps. Let’s dive right in.

Please don’t mind that my Windows and Browser versions are in German, the locations of the buttons etc should be the same in English.

1. Login to your Firewall and go to System / Certificate Manager / CAa and click on Add

2. Fill in all the details according to your location like in my sample.

3. Go to System / Certificate Manager / Certificates - You will notice there is already a certificate existing. Thats the default cert that comes pre installed. We ignore this and click on Add.

4. Fill in the form like in my example. Pay attention to Common Name, this is the FQDN of your pfSense. For example: mypfsensefirewall.lan also make sure that you enter the same FQDN in the Alternative Names Field (Thanks to Rob for pointing that out!)

5. Now pay attention: Go BACK to System / Certificate Manager / CAs and export the CERTIFICATE AUTHORITY, not the WebConfigurator Cert we just created!

6. Open your Windows Certificate Root and import the downloaded pfsense-CA cert. You can Import by right clicking on a empty space on the right side and choose "New Task" or so and Import

7.  Go back to your pfSense and go to System / Advanced / Admin Access and CHANGE the SSL certificate from the default one to our newly created one. Hit Save.

8. Now Google Chrome should automaticaly accept the Cert stored in the Windows Certificate Root. Firefox doesn't. If your Chrome doesn't do it, import it manually. Below the steps for Firefox.

9. After doing all this and restarting your browser you should be greeted with a green lock, ensuring a secure connection to your firewall. Remember to access your firewill via its FQDN and not the IP.

 

 

You can get pre-installed pfSense hardware here:
I use a PC Engines APU.1D4 Bundle which is only available on the German Amazon, so you have to look how to get it in the US, but I assume the options above are of equal quality.

 

16 thoughts on “pfSense: Generate a SSL Certificate for HTTPS on your pfSense

  • Pingback:pfSense 2.3.3 Installation Step By Step (UPDATED Version 2.3.3 Installer!) - Ceos3c

    • May 18, 2017 at 8:24 am
      Permalink

      You are welcome 🙂

      Reply
  • September 22, 2017 at 5:35 pm
    Permalink

    Would be better if graphics were in English too??

    Reply
    • October 18, 2017 at 9:10 am
      Permalink

      Thanks for pointing that out, Rob! Changed the guide, works like a charm!

      Reply
  • November 2, 2017 at 12:47 pm
    Permalink

    For some reason is not working for me 🙁

    I am getting NET::ERR_CERT_AUTHORITY_INVALID

    Reply
    • November 2, 2017 at 1:03 pm
      Permalink

      Sorry, it is working in Google Chrome. But not in Firefox.

      Thank you!

      Reply
      • November 14, 2017 at 12:36 pm
        Permalink

        Great you were able to solve it on your own!

        Reply
  • Pingback:Installing pfSense | SekolahBSD

  • Pingback:pfSense 2.4 Installation Step By Step and New Feature Overview -

  • December 11, 2017 at 7:33 pm
    Permalink

    i had to explicitly trust the cert in my laptop. after that it worked. thx for the post!

    Reply
  • January 21, 2018 at 5:43 pm
    Permalink

    You can tell firefox to use Windows CA

    about:config
    security.enterprise_roots.enabled “true”

    Reply
  • February 8, 2018 at 5:10 am
    Permalink

    Well, following this article was very frustrating. As soon as I swapped the SSL cert and saved, I could no longer get to the UI. Both Firefox and Chrome reported „NET::ERR_CERT_AUTHORITY_INVALID“ no matter what I did. I used several different computers with Firefox, Chrome, and Safari. I verified each time that the CA was correctly trusted, but it still wouldn’t load. I FINALLY was able to get to the pfSense ui up by installing an OLD version of Firefox that let me add an exception to visit the site. Of course I immediately swapped the SSL cert back to the web configurator things worked fine again.

    Reply
  • Pingback:Replacing the BT Infinity SmartHub with pfsense — DIY Media Home

  • Pingback:How to install pfSense 2.4.2 - Ceos3c

Leave a Reply