Remote Access SSL/TLS OpenVPN without CA on pfSense

  • Hi,
    Would you be so kind please and tell me, is it possible to use ONLY external Certification Authority?

    I spent a lot of time by searching and reading about OpenVPN and pfSense but I still don’t understand why I have to have CA on pfSense. My idea is to create CSR on pfSense for server certificate for OpenVPN and then create all user certificates outside of pfSense.

    For example with Windows Server RRAS I’m capable to create SSTP VPN. Server gets certificate manually or automatically (auto-enrollment) and Windows laptops get it automatically (auto-enrollment) from online intermediate CA. They also get offline root CA certificate from into their local machine Trusted Root Cert using Group Policy.

    My main objective is to automatically enroll certificates for users using Active Directory, Group Policy and existing PKI. If not possible automatically, then at least using CA that doesn't sit on pfSense.

    Thank you.

  • LAYER 8 Global Moderator

    You can use what ever CA you want.  Nothing says the CA has to be on pfsense to use openvpn.  But openvpn needs the CA cert so can validate the clients.  This is the peer authority in the gui.  If your wanting to use an external CA then you will have to add the CA to pfsense Cert Manager and then pick that as the peer authority in pfsense.

  • Does it mean that I can import root offline CA public key as CA that I can setup in OpenVPN? I will test ASAP. Thank you!

  • @johnpoz:

    You can use what ever CA you want.

    Again, I’d like to thank you johnpoz. Now I understand how stupid was to ask about that since I didn’t realize that I can import just public CA key.

    But I still have some strange issue with it… I imported public CA key and on pfSense I created CSR (Common Name: public DNS that points to pfsense WAN) and issued certificate. In OpenVPN when I select CA and issued server cert then I will get following warning:

    Warning: The selected server certificate was not created as an SSL Server certificate and may not work as expected

    Then when I try to export configuration using Client Export package I get error:

    Could not locate the CA reference for the server certificate.
    Failed to export config files!

    I think that I might have issue with server certificate. I tried several different CA templates with “Server Authentication” and with both “Client Authentication” and “Server Authentication” but OpenVPN Server setup still showing warning that it’s not SSL Server cert…

  • LAYER 8 Global Moderator

    Dude you have to create the ca - with the import CA function.  Then that ca could create your server cert to use with the openvpn server.  You would then import that cert, which could be used by openvpn.

    For example - here is where you would download a CA from Symantec

    See the cert - you would paste that into your CAs And give it a name.  Not sure what your doing when you say public key?

  • @johnpoz:

    Dude you have to create the ca

    I created it exactly in this way but I didn't create server cert using this CA. I just created CSR and issued it on Windows Server PKI. Thanks mate! Testing now!

  • LAYER 8 Global Moderator

    Your going to have to have that CA sign your cert you request.. Or just import the cert you create on your CA for it..

  • @johnpoz:

    Your going to have to have that CA sign your cert you request..

    Yes… Exactly

    I imported CA public key in the same way as on your screenshot.

    Then I created CSR: Cert Manager - Certificated - Add - Create a Certificate Signing Request
    I exported *.req file, imported it into Windows Server CA, issued it and I exported base 64 of it...

    on pfSense I completed signing request by pasting base 64 into "Final certificate data" (I did it in past for SSL cert for Web GUI HTTPS and that works well)

  • LAYER 8 Global Moderator

    Well dude how is it going to work when clearly it is NOT a server cert..

  • That means that I have to find out what is server cert for pfSense from the perspective of Windows Server CA. I tried several templates and they all have "Server Authentication" or server and "Client Authentication" but that probably is not enough for pfSense. I haven't found any specific Windows Server CA / pfSense guide so I will have to trial and error different configurations of template.

    Thank you.

  • LAYER 8 Global Moderator

    Pretty sure there is a "web server" template - I would guess that would be the template to use.  I have not used windows based CA in long time.. But I do recall that template.  What version of windows area you using? 2k8, 2k12 - new 2k16?

  • 2012 R2 but this should not matter. Most of those templates are by default in 2003 version. When I try something new (for example in this case) I always start with the old one and when it works I try to "upgrade it" since new templates are better from security perspective. Funny that my SSL cert for GUI shows "Server: No" but works as expected ;-).

    "Web Server" template is there… I will test it ASAP. Thank you.

  • Nope, still Server: No

    I will try to create internal CA and server cert and export config. Then I will switch files in exported archive and try to connect. It might work since pfSense allows me to save Server configuration with "Server: No" certificate…

  • Did you managed to find out what a "Server" certificate is?
    I am not using Windows Server CA but EJBCA and having the same issue: my certificate is treated as "Server: No" by pfSense.

  • LAYER 8 Netgate

    A server certificate has this attribute:

    Netscape Cert Type:
                    SSL Server

    The following extensions are non standard, Netscape specific and largely obsolete. Their use in new applications is discouraged.


    See Also: man x509v3_config

    I am not 100% sure exactly what needs that to be present, but it's not pfSense. Maybe strongswan and openvpn.

    You will probably find it easier to keep the certificates on pfSense so you can use the client export utility but there is no requirement to do so.

    You do have to have the CA certificate installed on the firewall so openvpn can validate client certificates against it but you don't need the private key there unless you are going to generate/sign client certificates there.

    You will need to import the certificate and key parts as the server cert but they do not have to be generated on pfSense.

Log in to reply