Valid Certificates on pfSense
As expected, many people, included the pfSense community, are moving to Let’s Encrypt for the valid certificates generation.
The Automated Certificate Management Enviroment Acme offers the automatic certificates renewal. On pfSense Acme has been implemented by using the CA of Let’s Encrypt.
Let’s Encrypt on pfSense
In order to use this service you must install the Acme package from pfSense’s Package Manager, the present version is the 0.1.15.
Once you have installed it, you need to find the configuration interface in Services -> Acme Certificates. There are three tabs, General Settings, Certificates and Account Keys.
First you have to generate a key that will identify in a univocal way the certificate user towards Let’s Encrypt in the Account Keys. Push the Add button and insert the required information.
- Name: name of your account
- Description: brief description
- Acme Server: choose which type of CA do you want to use, Staging or Production, the last one has got some limits that you can find here. Obviously, to make the certificate valid, you have to choose Production. Staging is only to become familiar with the operation, but the browser will continue giving error.
- Account Key, is your key, you can generate it by pushing the Create button or paste the one you already have got.
- Register Acme Account: if it’s your first generation of an Account Key, you must push this button to register. Otherwise you can save the configuration and move on to the next step.
Now we can ask for our certificate through the Certificates tab by pushing the Add button.
There are many way to proceed, we will see how to insert a certificate for the web Configurator of pfSense.
- Name: a mnemonic name of the certificate, I suggest you to use the FQDN
- Description: a brief description.
- Status: Active.
- Acme Account: the once you have created yet.
- Key Size: your key dimension, 2048 could be fine.
- Domain SAN list: you have to insert here the four key information for the generation of your certificate:
- the server DNS (host/ip)
- the RFC2136 method used ( host, user or zone)
- the key algorithm, if you follow my guide (HMAC-MD5)
- the private key generated on DNS server for this host.
- DNS-Sleep: a value in seconds to wait for the DNS resolves the name correctly, to use in case of DNS method.
- Action List: it specifies what to do after the renewal of the certificate.
- Last Renewal: It indicates the renewal date, if it is the first yu will see the 01/01/1970.
- Certificate Renewal After: the number of days you must to wait before the renewal.
In the Fig. 2 you can see how I set up the certificate for the web Configurator of pfSense.
Save the configuration, now you have to ask for the certificate by pushing the button Issue/Renew, if every step has been done properly, you will get your valid certificate and you will find the present date in Last Renew.
Well done! Now we can generate a system crontab code (o cron job) for the automatic renew by using the General Settings tab and habilitating the automatic renew. Then save the configuration and you are now free to use the certificate.
Let’s see what we have generated on System -> Cert. Manager.
We have entered the intermediate CA Let’s Encrypt and certificate for our FQDN test.sites.oneos.it.
Now we can use our generated certificate, System -> Advanced.
Set the values as in the Fig. 7 and save. The system will automatically divert you to the new name in HTTPS.
Now we only have to test the name. Open your browser and digit the URL https://test.sites.oneos.it.
Let’s Encrypt on pfSense.