Using pfsense to sign private wildcard SSL certificates

pfsense is a wonderful router appliance BSD distro that I’ve enjoyed for some years now.

I use the pfsense certificate manager to issue certs for my VPN client devices. For my Internet-facing life, I have legit SSL certs for everything, I’ve a neurosis about it. But it’s bothered me that for my LAN servers, I’ve continued to use Self-Signed certs for interfaces. Today I fix that.

Here are my notes on how to create and sign a wild-card SSL cert using pfsense for internal use. Note that this approach means you will make your own certificate authority which then must have its root cert installed on any machine you want to use your own certs.

  1. On your pfsense box, create a Certificate Authority certificate (System > Cert. Manager > CAs).

  2. Somewhere, on some box with bash, fetch my SSL-kit from github. Use it to create a private key and CSR for your wildcard domain. Note that when you call my scripts, your domain name needs a *. prefix to function as a wildcard.

  3. Back on your pfsense box, create a certificate by signing the CSR you just made (System > Cert. Manager > Certificates > Sign a certificate signing request). Be sure to use the “Alternative Names”
    field to give your common name again. I found if I didn’t do this, Chrome would have an emotional episode issue (Safari was fine). Be sure to select a Server Certificate Certificate Type.

    Here’s an example:

  4. Now view the list of issued certificates under System > Cert. Manager > Certificates. For the cert you just created, download the cert by clicking the “Export Certificate” link. Use this .crt with your .key created by my ssl-kit earlier. You can install these two on your LAN machines.

  5. For clients to accept the cert, you need to import your CA cert on them. The procedure will differ by OS. I use macOS largely on my desktops, so for them, I import the CA crt with Keychain Manager, to my login keychain. Once imported, then you need to find your cert in the list, double-click it and change the Trust settings to “Always Trust”.

If you want to use this cert with your pfsense installation itself, I found I had difficulty getting the Sign a certificate signing request interface to accept my private keys. But I just then exported the certificate as a totally external certificate which worked fine. You can change the SSL cert used by pfsense in the System > Advanced interface.

As usual, these instructions are mainly my personal notes to myself so I don’t waste my brain trying to remember trivial details that take time to rediscover. I hope this is of a bit of help to someone else.

PS – I skimmed a bit of this document to help myself get this going, it’s certainly relevant.