Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Make Pfsense work with Active Directory CA

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 3 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      it_ib
      last edited by

      Hi guys and girls...
      we have a pfsense rel. 2.4.4 and Active Directory running.
      My goal is now to provide VPN access to our employees for all AD-based computers, so to speak "known systems".
      (At the moment we use OpenVPN, but everyone could install this on his private homecomputer which may be infected etc.)
      So I got it to work with the built-in Win10 VPN Client to authenticate with the machine certificate.
      But this cert needs to be signed by the PFSenses CA, the certs from the AD did not work.
      These certs are autoenrolled from the ADs ICA.

      1. Is there a way to make PFSense accept certificates signed by the ADs ICA?
        I can only select a local CA from the PFSEnse in the IPsec settings.

      -or-

      1. Is there a way to autoenroll machine certificates from the PFsense?

      Automating certificate enrollement from the PFSense by script is a real pain in the ass....

      For now what I already managed:

      • Create a certificate request via Powershell on the computer
        -Put this cert on a nfs network share
        -mount this share on the PFsense (entry in fstab did not work, only manual mount)
        -sign this cert with openssl on the PFsense and write it to the nfs share (this is still to do, let it run remote with PuTTYs plink)

      other to do:
      -Reimport the cert with Powershell
      -Create VPN-Connection and VPNRoutes with Powershell (I know how to do this)

      1 Reply Last reply Reply Quote 0
      • M
        Mats
        last edited by

        let me see if I understand you correctly?
        You have a MS CA that provides certs to your Windows boxes and you would like to use the same certs/CA for VPN ?

        This should be doable.
        The first thing is to tell Pfsense that Certs issued from the MS CA is trusted.
        To do this you need to import the root cert from your MS CA to Pfsense (System/Certificate Manager/CAs

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          Exactly what VPN type are you using here?

          I don't really see why you could not use certs signed by another CA as long as the server and clients were both using it. Though I'm not sure I've ever tried that myself, for mobile IPSec at least.

          Steve

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.