Make Pfsense work with Active Directory CA

  • Hi guys and girls...
    we have a pfsense rel. 2.4.4 and Active Directory running.
    My goal is now to provide VPN access to our employees for all AD-based computers, so to speak "known systems".
    (At the moment we use OpenVPN, but everyone could install this on his private homecomputer which may be infected etc.)
    So I got it to work with the built-in Win10 VPN Client to authenticate with the machine certificate.
    But this cert needs to be signed by the PFSenses CA, the certs from the AD did not work.
    These certs are autoenrolled from the ADs ICA.

    1. Is there a way to make PFSense accept certificates signed by the ADs ICA?
      I can only select a local CA from the PFSEnse in the IPsec settings.


    1. Is there a way to autoenroll machine certificates from the PFsense?

    Automating certificate enrollement from the PFSense by script is a real pain in the ass....

    For now what I already managed:

    • Create a certificate request via Powershell on the computer
      -Put this cert on a nfs network share
      -mount this share on the PFsense (entry in fstab did not work, only manual mount)
      -sign this cert with openssl on the PFsense and write it to the nfs share (this is still to do, let it run remote with PuTTYs plink)

    other to do:
    -Reimport the cert with Powershell
    -Create VPN-Connection and VPNRoutes with Powershell (I know how to do this)

  • let me see if I understand you correctly?
    You have a MS CA that provides certs to your Windows boxes and you would like to use the same certs/CA for VPN ?

    This should be doable.
    The first thing is to tell Pfsense that Certs issued from the MS CA is trusted.
    To do this you need to import the root cert from your MS CA to Pfsense (System/Certificate Manager/CAs

  • Netgate Administrator

    Exactly what VPN type are you using here?

    I don't really see why you could not use certs signed by another CA as long as the server and clients were both using it. Though I'm not sure I've ever tried that myself, for mobile IPSec at least.


Log in to reply