CA private key



  • Hello, as long as search I couldn't find an appropiate answer to what I'm trying to do. I have an OpenVPN server fully functional and I want to migrate it to Pfsense. So, I created a new CA in Pfsense (System->Cert.Manager->Add), in the "Certificate data" field I managed to copy the cert of the OpenVPN server but I am having trouble finding the private key of that OpenVPN server. As the field is optional, I created the CA but is not marked as "internal" (for the lack of the private key I guess).

    In order to test if what I'm trying to do is possible. I tried to do the same excercise from this scenario, migrate the CA from Pfsense to another Pfsense, I had no problem at all, in the GUI of Pfsense I copied the cert and private key from one to another and to verify where this files are, I entered the Shell and search those files, I only find the cert file but I could not find the private-key file (I search both of them by string inside the file)

    So my question is: Where does  Pfsense stores OpenVPN CA private-key?

    I hope you guys could give a hint about the CA cert and private key management because I want the copied CA to mark as "internal".

    Thanks in advance!


  • Rebel Alliance Developer Netgate

    On pfSense, the private key for the CA is stored with the CA. If you click the pencil icon to edit the CA entry you can paste in the private key.

    The CA private key would not be stored with an OpenVPN server or client settings, they only need the CA certificate. If you are importing a CA from some other system, you need to look for the private key there, wherever the certificates were made originally.

    If you are unable to locate that CA, then you can always make a new one. You do not need the private key for an OpenVPN server to work. You only need the private key to create new certificates for the VPN.

    Worst case, you setup a VPN with the old CA and certs for existing clients and then you make a new CA and certs + server for new clients and eventually migrate everyone over to that.



  • Ok, thanks for the response, so, can I accomplish this?

    Migrate CA from OpenVPN (CA cert + private key) to Pfsense to still generate client certificates.

    and the second question:

    In Pfsense, once you create a new CA, where the CA cert and private key are physically stored in the OS? (I only find the Cert file /var/etc/openvpn)


  • Rebel Alliance Developer Netgate

    The CA is stored in the main configuration file, /conf/config.xml, and is not kept separately on the filesystem.



  • Thanks!, I found all the certificates including the CA cert and private key. Just to add some information, this post https://forum.pfsense.org/index.php?topic=32372.0 help me get the string of this certificates from the base64 encoded xml fields.


Log in to reply