Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense certificate

    Scheduled Pinned Locked Moved General pfSense Questions
    13 Posts 4 Posters 996 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S
      stephenw10 Netgate Administrator
      last edited by

      Yup could be. I use Firefox here and only ever have to allow the cert exception once per device.

      What actual error is shown?

      1 Reply Last reply Reply Quote 0
      • the otherT
        the other
        last edited by

        hey there,
        I don't think it is a question of expiring...rather it seems to me, it is a question of "does Firefox already know about your self-signed cert?"
        I use certificate manager on pfsense to make my own CA and use that to issue my own ssl certificates (and user ones as well). So in my LAN I have https active, using self-signed certs for servers at home (and a self-signed webGUI cert for pfsense instead of the default one).
        BUT: you need to make that issuing CA known to your browser.

        So: export your CAs cert, import that to Firefox (settings > security > certificates I think) and then...it should no longer give out warnings and you do not need exceptions any more (since your browser sees your self-signed certs and trusts your issuing CA).

        At least that's what I suggest... :)

        the other

        pure amateur home user, no business or professional background
        please excuse poor english skills and typpoz :)

        H 1 Reply Last reply Reply Quote 0
        • H
          hspindel @the other
          last edited by

          @the-other Thank you for the reply. I tried importing the certificate to Firefox, and Firefox said there was no need since it already had the certificate.

          So perhaps this is not a certificate issue.

          keyserK 1 Reply Last reply Reply Quote 0
          • keyserK
            keyser Rebel Alliance @hspindel
            last edited by

            @hspindel It’s likeky because you have set a validity span that is too long on your self signed certificate. I think the limit is around 390 days right now - otherwise the browser will declare the certificate invalid. Those limits are expected to drop further in the future i think

            Love the no fuss of using the official appliances :-)

            1 Reply Last reply Reply Quote 0
            • the otherT
              the other
              last edited by the other

              Sure you imported the ca one? First export from pfsense...I did not mean the ssl server cert, just to be sure.
              @keyser
              I read about limited lifespan acceptance too. Still, my certs have 3650 days and still got accepted...

              the other

              pure amateur home user, no business or professional background
              please excuse poor english skills and typpoz :)

              keyserK 1 Reply Last reply Reply Quote 0
              • keyserK
                keyser Rebel Alliance @the other
                last edited by

                @the-other said in pfSense certificate:

                Sure you imported the ca one? First export from pfsense...I did not mean the ssl server cert, just to be sure.
                @keyser
                I read about limited lifespan acceptance too. Still, my certs have 3650 days and still got accepted...

                Yes, it will be accepted and installed, but it will throw you the certificate warning every once in a while anyways - haven’t quite figured out how that interval is determined

                Love the no fuss of using the official appliances :-)

                H 1 Reply Last reply Reply Quote 0
                • H
                  hspindel @keyser
                  last edited by

                  Was able to reproduce the issue. Actual firefox message is:

                  Warning: Potential Security Risk Ahead

                  Firefox detected a potential security threat and did not continue to <local IP>.

                  Issue is most likely with the website and there is nothing you can do to resolve it.


                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    Does it tell you what the issue is?

                    The usual warning from the self signed cert is:
                    Screenshot from 2025-02-05 10-30-58.png

                    But you can just accept that and it won't usually ask again.
                    Screenshot from 2025-02-05 10-32-16.png

                    H 1 Reply Last reply Reply Quote 0
                    • H
                      hspindel @stephenw10
                      last edited by

                      @stephenw10 Yes, that is the exact same warning screen I see. Unfortunately it reappears no matter how many times I accept it.

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        Hmm, that has to be a security setting in Firefox.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.