PfSense CA manager in 2.3

  • Hello community, not sure if this is the right location but I wanted to reach out and ask some questions about the CA and certificate tab with 2.3.  I have setup both tabs following this guide  I wouldnt say im savy with certificate stuff but I know what I need to to follow docs to setup certs for equipment.  I want to follow this guide  to replace the certs on my vsphere stuff but I am a bit confused at what pfSense actually offers with its CA management.

    On my certificates tab I have only created 3 certs so far for my 2 esxi 6 hosts and my vsphere 6 VCSA appliance.  I am unsure if I can just start at step 7 on VMware's page and just upload the cert I already generated for all 3 or if I need to actually generate the csr and key on the vsphere equipment.  Also I am not sure if I need a root and intermediate to setup in the vsphere stuff, and I am unsure how or if I can get a root and intermediate chain from the pfSense manager.

    Any help would be greatly appreciated!


  • Create an internal certificate authority in pfsense. This will generate a root CA cert which you will use to sign your certificates.

    Create an internal certificate and make sure you sign it with your root CA cert.

    No need to provide a CSR or private key as pfsense will generate these internally. You can export the certificates and keys directly from the certificate manager (the little buttons in the Actions column).

    You can then import both sets of certs and keys into whatever you like. Obviously be aware that no devices will trust any certificates signed by your CA unless you manually import the root CA cert into your trusted certificate store.

  • For anyone interested, I have completed this and it is good.  Following this guide I created my CA and certificates I needed for my VCSA 6 and my 2 esxi 6 hosts.  I downloaded the CA root crt + key and the host crt + key and uploaded all of them to a shared storage space.  I followed this guide using option 1 and it asked for the VCSA crt, key and also the root crt.  I then followed this guide for my 2 esxi 6 hosts starting at the "Installing and configuring the certificate on the ESXi host"  I noticed I needed to remove the hosts 1 at a time from vcenter, update the cert, reboot the host to be on the safe side and re add back into vcenter.  All certs are now trusted and good for 10 years.