Tutorial - Windows certificate with IPsec



  • Hello everybody!

    Let's explain what we are doing here. In pfSense, when you build an IPsec tunnel, you can decide whether to identify the peers via a pre-shared key or a certificate. If you choose certificate, you are likely to build it in the System -> Cert. Manager tool. However if you have an AD CS and want to use it to secure your VPN, here is how you can make the certificates:

    First of all, you need to choose a good certificate provider (I chose the Microsoft Software Key Storage Provider), and then, before creating any certificate, we need to modify a template. In order to do so, launch mmc.exe, then hit Ctrl+M and select Certificate Templates, Certificates, and Certification Authority. (When the Certificate one asks you, select Local Computer).

    Then, go to Certificate Templates, choose the IPsec one, right-click and select Duplicate Template. Now, we have to make a few changes, which are:

    • Change the compatibility to W2k12

    • Under Request Handling, set Allow private key to be exported to true

    • Under Cryptography, change Provider Category to Key Storage Provider (make sure to select the any provider option)

    • Under Subject Name, select Supply in the request

    • Under Extensions, Application Policies, add Server Authentication

    Then, you need to import this template under Console Root / Certification Authority / server name / Certificate Templates (right click -> new -> Certificate Template to Issue).

    Now, under Console Root / Certificates (Local Computer) / Personnal / Certificates, right-click -> All Tasks -> Request New Certificate, hit next twice, choose your previously made template, click on Details, go to Properties and modify the values to match what you want!

    Now you just need to export the certificate and put it in pfSense, here is how: https://knowledge.zomers.eu/pfsense/Pages/How-to-use-a-Windows-PFX-certificate-with-pfSense.aspx
    Enjoy!

    PS: if you have any problem, (or if I forgoted something) just give me a shout!