Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Remote Access SSL/TLS OpenVPN without CA on pfSense

    Scheduled Pinned Locked Moved OpenVPN
    15 Posts 4 Posters 10.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Jeff W
      last edited by

      Hi,
      Would you be so kind please and tell me, is it possible to use ONLY external Certification Authority?

      I spent a lot of time by searching and reading about OpenVPN and pfSense but I still don’t understand why I have to have CA on pfSense. My idea is to create CSR on pfSense for server certificate for OpenVPN and then create all user certificates outside of pfSense.

      For example with Windows Server RRAS I’m capable to create SSTP VPN. Server gets certificate manually or automatically (auto-enrollment) and Windows laptops get it automatically (auto-enrollment) from online intermediate CA. They also get offline root CA certificate from into their local machine Trusted Root Cert using Group Policy.

      My main objective is to automatically enroll certificates for users using Active Directory, Group Policy and existing PKI. If not possible automatically, then at least using CA that doesn't sit on pfSense.

      Thank you.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        You can use what ever CA you want.  Nothing says the CA has to be on pfsense to use openvpn.  But openvpn needs the CA cert so can validate the clients.  This is the peer authority in the gui.  If your wanting to use an external CA then you will have to add the CA to pfsense Cert Manager and then pick that as the peer authority in pfsense.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • J
          Jeff W
          last edited by

          Does it mean that I can import root offline CA public key as CA that I can setup in OpenVPN? I will test ASAP. Thank you!

          1 Reply Last reply Reply Quote 0
          • J
            Jeff W
            last edited by

            @johnpoz:

            You can use what ever CA you want.

            Again, I’d like to thank you johnpoz. Now I understand how stupid was to ask about that since I didn’t realize that I can import just public CA key.

            But I still have some strange issue with it… I imported public CA key and on pfSense I created CSR (Common Name: public DNS that points to pfsense WAN) and issued certificate. In OpenVPN when I select CA and issued server cert then I will get following warning:

            Warning: The selected server certificate was not created as an SSL Server certificate and may not work as expected

            Then when I try to export configuration using Client Export package I get error:

            Could not locate the CA reference for the server certificate.
            Failed to export config files!

            I think that I might have issue with server certificate. I tried several different CA templates with “Server Authentication” and with both “Client Authentication” and “Server Authentication” but OpenVPN Server setup still showing warning that it’s not SSL Server cert…

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              Dude you have to create the ca - with the import CA function.  Then that ca could create your server cert to use with the openvpn server.  You would then import that cert, which could be used by openvpn.

              For example - here is where you would download a CA from Symantec
              https://knowledge.symantec.com/kb/index?page=content&actp=CROSSLINK&id=SO25808

              See the cert - you would paste that into your CAs And give it a name.  Not sure what your doing when you say public key?

              importCA.jpg
              importCA.jpg_thumb
              importaCA.jpg
              importaCA.jpg_thumb

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • J
                Jeff W
                last edited by

                @johnpoz:

                Dude you have to create the ca

                I created it exactly in this way but I didn't create server cert using this CA. I just created CSR and issued it on Windows Server PKI. Thanks mate! Testing now!

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  Your going to have to have that CA sign your cert you request.. Or just import the cert you create on your CA for it..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • J
                    Jeff W
                    last edited by

                    @johnpoz:

                    Your going to have to have that CA sign your cert you request..

                    Yes… Exactly

                    I imported CA public key in the same way as on your screenshot.

                    Then I created CSR: Cert Manager - Certificated - Add - Create a Certificate Signing Request
                    I exported *.req file, imported it into Windows Server CA, issued it and I exported base 64 of it...

                    on pfSense I completed signing request by pasting base 64 into "Final certificate data" (I did it in past for SSL cert for Web GUI HTTPS and that works well)

                    2016-10-01_11-01-42.jpg
                    2016-10-01_11-01-42.jpg_thumb

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      Well dude how is it going to work when clearly it is NOT a server cert..

                      serverno.jpg
                      serverno.jpg_thumb
                      serveryes.jpg
                      serveryes.jpg_thumb

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • J
                        Jeff W
                        last edited by

                        That means that I have to find out what is server cert for pfSense from the perspective of Windows Server CA. I tried several templates and they all have "Server Authentication" or server and "Client Authentication" but that probably is not enough for pfSense. I haven't found any specific Windows Server CA / pfSense guide so I will have to trial and error different configurations of template.

                        Thank you.

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          Pretty sure there is a "web server" template - I would guess that would be the template to use.  I have not used windows based CA in long time.. But I do recall that template.  What version of windows area you using? 2k8, 2k12 - new 2k16?

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • J
                            Jeff W
                            last edited by

                            2012 R2 but this should not matter. Most of those templates are by default in 2003 version. When I try something new (for example in this case) I always start with the old one and when it works I try to "upgrade it" since new templates are better from security perspective. Funny that my SSL cert for GUI shows "Server: No" but works as expected ;-).

                            "Web Server" template is there… I will test it ASAP. Thank you.

                            1 Reply Last reply Reply Quote 0
                            • J
                              Jeff W
                              last edited by

                              Nope, still Server: No

                              I will try to create internal CA and server cert and export config. Then I will switch files in exported archive and try to connect. It might work since pfSense allows me to save Server configuration with "Server: No" certificate…

                              1 Reply Last reply Reply Quote 0
                              • C
                                CDuv
                                last edited by

                                Did you managed to find out what a "Server" certificate is?
                                I am not using Windows Server CA but EJBCA and having the same issue: my certificate is treated as "Server: No" by pfSense.

                                1 Reply Last reply Reply Quote 0
                                • DerelictD
                                  Derelict LAYER 8 Netgate
                                  last edited by

                                  A server certificate has this attribute:

                                  Netscape Cert Type:
                                                  SSL Server

                                  The following extensions are non standard, Netscape specific and largely obsolete. Their use in new applications is discouraged.

                                  idk.

                                  See Also: man x509v3_config

                                  I am not 100% sure exactly what needs that to be present, but it's not pfSense. Maybe strongswan and openvpn.

                                  You will probably find it easier to keep the certificates on pfSense so you can use the client export utility but there is no requirement to do so.

                                  You do have to have the CA certificate installed on the firewall so openvpn can validate client certificates against it but you don't need the private key there unless you are going to generate/sign client certificates there.

                                  You will need to import the certificate and key parts as the server cert but they do not have to be generated on pfSense.

                                  Chattanooga, Tennessee, USA
                                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.