Using pfSense as a Certificate authority

pfSense is one of my absolute favorite projects. A fully featured advanced firewall which is free and open-source and also offers paid-for licensed versions with optional support packages for the enterprise; absolutely perfect!

One little-known but excellent feature of pfSense is the CA (Certificate Authority) manager that makes setting up and issuing certificates a breeze. Having used easy-rsa extensively and even built an API and source control wrapper around it (which definitely has its benefits over pfSense), sometimes you need a simple and quick way to issue certificates properly. In which case, pfSense has a great solution for those projects

The project I have in mind leading up to this is a personal OpenVPN server, hosted on OpenWRT to be able to bring remote CCTV cameras on to the same virtual private network, despite being geographically distant. This will allow me to avoid any kind of cloud-camera fees or privacy concerns.

Even though I plan to use OpenWRT for the actual server, I will use pfSense to manage certificates

Concept

I will guide you through installing pfSense on VirtualBox, set up the initial certificate authority, issue a server certificate and then issue a client certificate.

pfSense and VirtualBox

I’ll use VirtualBox 7.1.12 available from here Download VirtualBox

And pfSense CE 2.7.2, available from Netgate, or from the mirror here Download pfSense CE

Setup and install

While this article is not focused on VirtualBox, here are quick instructions to get going. For the record, you could use any kind of hypervisor, not just VirtualBox, or even a real machine.

If you have an active pfSense installation already - use that instead of a VM!

Once VirtualBox is installed, go to “✷ New”, set a name and select where to store the VM image on your computer. Here are the settings that I used; all the other options I left as default (16GB vdi and 1024MB RAM)

You can now click “➜ Start”. Once the console screen opens, it will boot the iso and you can quickly move through the pfSense installation steps using the defaults: Accept, Install, Auto (ZFS), Install, Stripe, ada0, Yes, Reboot.

Once rebooted, if it boots back in to the installer, stop the VM and unselect the ISO image from the VM settings

pfSense will ask some basic first-time settings on the console on the first boot.

• Should VLANs be set up now? n
• Enter the WAN interface name: em0
• Enter the LAN interface name: (nothing)
• Do you want to proceed: y

WAN interface

Because we only want to use pfSense for the CA, and not as a firewall, we first need to skip around the firewall to be able to access it. We only have one interface - WAN, and by default it won’t let us in.

You should now be at the “Enter an option” screen. Select 8) Shell

Temporary disable the firewall by entering pfctl -d. You would not normally do this if you were using pfSense as a firewall!

We will now set up a port forward in VirtualBox to forward port 443 through to pfSense. In the VirtualBox window, go to Machine ➜ Settings ➜ Network ➜ Port Forwarding

Add a new forwarding rule and set the following:

• Name: Forward localhost port 8443 through to port 443 of the pfSense virtual machine
• Host Port: 8443
• Guest Port: 443

Now you may navigate to https://127.0.0.1:8443/ and you should see the pfsense login screen. The default login is admin/pfsense

You can now go through the pfSense setup wizard. I left everything as defaults but you may customise. You will need to repeat pfctl -d one more time once the wizard is finished.

Now we have access to the interface, we can add a rule to allow us through the firewall permanently. Once again, You would not normally do this if you were using pfSense as a firewall!

Go to Firewall ➜ Rules ➜ ↴Add and set the following settings

• Source: WAN subnets
• Destination: This Firewall (Self)
• Destination Port Range: HTTPS (443)
• Description: Allow access to pfSense interface from VirtualBox

Now you will have permanent access to the interface without having to run pfctl -d again

Certificate Manager

Right, with that out of the way, we can now use the certificate management functionality in pfSense

It’s worth explaining the 3 kinds of certificates. They all come in a pair with both a public certificate and private key

• CA: The initial certificate - top of the chain. All your other cerficiates will be signed by this one. It’s the most important one. Keep the private key super secret. The certificate itself is not secret and can (must) be available for the clients and servers
• Server: A certificate signed by the CA with a slightly elevated ability. It allows the clients to trust this certificate when it is used on a server, whereas they will not trust a user cert acting as a server
• User: The standard certificate issued to clients

Set up the Certificate Authority

In pfSense web interface, navigate to System ➜ Certificates ➜ Autorities and click ✚ Add

Enter the settings. I used mostly defaults. Please use your own preferences, but these are mine

• Descriptive name: Richard CCTV CA
• Method: Create an internal Certificate Authority
• Trust Store: no
• Randomize serial: no (but it can be useful if you issue certs from multiple pfSense instances in a HA setup)
• Key type: RSA 2048
• Digest Algorithm: sha256
• Lifetime: 3650 (10 years)
• Common Name: richard-cctv-ca
• Country Code: (blank)
• State or Province: (blank)
• City: (blank)
• Organization: (blank)
• Organizational Unit: (blank)
• Save

That’s it for the CA. If you’re using it in an external OpenVPN server (I will be using it in OpenWRT) - you can now export (download) the .crt file using the Actions buttons in pfSense. You should not need to export the private key because you will return to pfSense to issue more certificates.

Issue a Server Certificate

In pfSense web interface, navigate to System ➜ Certificates ➜ Certificates and click ✚ Add

Enter the settings. I used mostly defaults. Please use your own preferences, but these are mine

• Method: Create an internal Certificate
• Descriptive name: Richard CCTV OpenVPN Server
• Certificate authority: Richard CCTV CA
• Key type: RSA 2048
• Digest Algorithm: sha256
• Lifetime (days): 3650 - contentious setting. Set it to less if you need to for compatibility or compliance
• Common Name: richard-cctv-openvpn-server
• Country Code: (blank)
• State or Province: (blank)
• City: (blank)
• Organization: (blank)
• Organizational Unit: (blank)
• Certificate Type: Server Certificate
• Alternative Names: (blank)
• Save

You may now export both the server private (.key / .pem) and public (.crt / .cer) keys for use in an OpenVPN server, using the Actions buttons in pfSense

Issue a Client Certificate

(Very much the same as a Server certificate with the Certificate Type set to User Certificate)

In pfSense web interface, navigate to System ➜ Certificates ➜ Certificates and click ✚ Add

Enter the settings. I used mostly defaults. Please use your own preferences, but these are mine

• Method: Create an internal Certificate
• Descriptive name: Richard CCTV Remote Site 1
• Certificate authority: Richard CCTV CA
• Key type: RSA 2048
• Digest Algorithm: sha256
• Lifetime (days): 3650
• Common Name: richard-cctv-remote-site-1
• Country Code: (blank)
• State or Province: (blank)
• City: (blank)
• Organization: (blank)
• Organizational Unit: (blank)
• Certificate Type: User Certificate
• Alternative Names: (blank)
• Save

You may now export both the server private (.key / .pem) and public (.crt / .cer) keys for use in an OpenVPN client, using the Actions buttons in pfSense

Backups

Using the backup feature in pfSense, you can safely export your CA and certificates for disaster recovery. I’d advise making a backup each time you issue a new certificate. Be sure to store the backup safely and privately because it contains your private keys for your authority and server/user certificates. A bitlocker-encrypted usb stick may be suitable if you are using this for a personal project. Otherwise, your organisation may have specific requirements.

Access the backup feature in pfSense Diagnostics ➜ Backup & Restore ➜ Downlad configuration as XML

Shutdown

You may now shut down the pfSense virtual machine in VirtualBox. If you need to issue more certificates at a later date,
then start up the VM again

Conclusion

In this article, we’ve explored how to use pfSense as a Certificate Authority, demonstrating its capabilities beyond being just a firewall.

We covered the complete process from installing pfSense in VirtualBox to creating a CA and issuing both server and client certificates and creating offline backups.

This approach provides a simple yet powerful way to manage certificates for your projects, especially useful for services like OpenVPN.

The built-in certificate management in pfSense offers an excellent alternative to command-line tools like easy-rsa, making certificate management accessible through a user-friendly web interface.

While we focused on the CA functionality here, the OpenVPN implementation on OpenWRT will be covered in a future article.