IT Company Blog

Website security is one of the most important fundamental of network infrastructure. And one of the best ways to ensure secure communication is by using SSL certificates. PfSense is a popular open-source firewall and router solution. It allows administrators to encrypt the web interface (Web GUI) and other services using SSL certificates. It is important to protect it using SSL as it secures login credentials, configuration changes and other communications between the administrator and the firewall.

In this guide, we’ll walk through the steps to create an SSL certificate for your pfSense firewall, whether you’re using a self-signed certificate or one issued by a trusted Certificate Authority (CA).

Why Use SSL with pfSense?

PfSense web interface is typically access over HTTP by default. That means any data transmitted, including username and passwords, is vulnerable to interception. By securing it means you encrypt the entire communication channel between your browser and the pfSense firewall. Hence it ensures

1. Login credentials,
2. Configuration data
3. Security protection against potential threats
4. Secure online and remote accessibility
5. Applies industry-standard encryption principles.

Step by Step Process of How to Create an SSL Certificate for pfSense Firewall?

Follow the step-by-step process of creating an SSL certificate for pfSense firewall. In case if you face any difficulty feel free to ask for assistance which is offered free of cost to our customers.

Step 1: Access pfSense Web Interface

To get started, you need to access the pfSense WebGUI:

1. Open a web browser and navigate to the IP address of your pfSense firewall. By default, it’s typically https://<pfSense-IP-Address>.
2. Log in with your administrative credentials (the default username is admin and the default password is pfsense unless changed).

Once you’re logged in, you can start the process of generating an SSL certificate for pfSense.

Step 2: Create a Certificate Authority (CA)

If you don’t already have a Certificate Authority (CA) set up in pfSense, you’ll need to create one. A CA is a trusted entity that issues digital certificates. You can either use an internal CA (which pfSense can create for you) or import an existing CA certificate. For most home or small office setups, using an internal CA is sufficient.

1. Navigate to: System > Cert. Manager > CAs.
2. Click “Add” to create a new Certificate Authority.
3. Fill in the following details:

• Descriptive Name: This is a friendly name for your CA (e.g., “My pfSense CA”).
• Method: Choose Create an internal Certificate Authority.
• Key Type: RSA or ECC (we’ll use RSA here).
• Key Length: Set to 2048 bits for RSA (this is a widely accepted standard).
• Digest Algorithm: Choose SHA256 for security.
• Lifetime: Set the certificate’s validity (e.g., 3650 days for 10 years).
• Distinguished Name (DN) Fields: Provide details like country, state, organization, etc.

1. Click Save to create the CA.

This Certificate Authority will now be used to issue the SSL certificate for your pfSense WebGUI.

Step 3: Create the SSL Server Certificate

Now that you have a CA, it’s time to create the SSL certificate that pfSense will use for its WebGUI.

1. Navigate to: System > Cert. Manager > Certificates.
2. Click on “Add” to create a new certificate.
3. Complete the fields:

• Descriptive Name: A name for your certificate (e.g., “pfSense WebGUI SSL”).
• Certificate Authority: Select the CA you just created.
• Key Type: Choose RSA (or ECC if you prefer).
• Key Length: Set to 2048 bits for RSA.
• Common Name: This is the DNS name or IP address of your pfSense firewall (e.g., pfsense.local or 192.168.1.1).
• Alternative Names: If you plan to access pfSense using multiple hostnames or IP addresses, you can list them here.
• Digest Algorithm: Use SHA256 for better security.
• Certificate Type: Choose Server Certificate because you’re securing the WebGUI.
• Key Usage: Check options for Digital Signature and Key Encipherment.

1. Click Save to generate the certificate.

Step 4: Configure pfSense WebGUI to Use SSL

Once the SSL certificate is created, you need to configure pfSense to use it for the WebGUI:

1. Navigate to: System > Advanced > Admin Access.
2. Under Secure WebGUI, select the newly created SSL certificate from the drop-down list.
3. Click Save.

This will enable SSL encryption for the pfSense WebGUI, so every time you log in, your communication with the firewall will be encrypted.

Step 5: (Optional) Import an External SSL Certificate

If you’d prefer to use a trusted third-party SSL certificate (e.g., from Let’s Encrypt, DigiCert, or any other commercial CA), you can import it into pfSense.

1. Navigate to: System > Cert. Manager > Certificates.
2. Click “Add” and select Import an existing certificate.
3. Paste the contents of your certificate and private key into the provided fields.
4. Save the imported certificate.

After importing the external certificate, you can follow the same steps as above to configure pfSense to use it for the WebGUI.

Step 6: Verify SSL Encryption

Finally, it’s time to test the SSL encryption on your pfSense WebGUI. Open a web browser and go to https://<pfSense-IP-Address> (or the DNS name you configured). You should see a secure connection with HTTPS, and if you used a self-signed certificate, your browser may warn you that the certificate is not trusted. This can be safely ignored, or you can add the certificate to your browser’s trusted certificates.

Conclusion

Follow these steps and you can create an apply an SSL certificate to your pfSense firewall. It will enhance the security of your web GUI and protect your online portfolio. It is important to protect your sensitive data from prying eyes and it doesn’t matter whether you are using self-signed certificate or importing a trusted one form a third-party CA.

Frequently Asked Questions