Requesting Assistance with Certificates



  • Good afternoon,

    I would like to request some assistance (link, video, documentation etc.) on implementing certificates for a captive portal. I have watched the tutorials and it is clear how to install them, I would just like to ask where I can attain or license a certificate from for such purposes. How are they normally acquired? It appears this is the final step in setting up my captive portal now! Hopefully this step isn't too complex, as I am regretfully still new to this!

    Thanks again for the support.



  • Hi,

    Using the https setup for a captive portal is even strongly advised.
    It makes the redirection process even work better, although I have no real proof of that.

    a5731b9e-b6e4-48c1-bb61-9cd98163a51d-image.png

    @Bashlory said in Requesting Assistance with Certificates:

    I have watched ...

    You should see these. There are several Captive portal videos that show you how to set it up from the ground up.

    You'll be needing a certificate for a (any) cert reseller.
    You'll be needing a domain name.

    The certificate authority will give you the files (certificates) that you should import into the pfSense Certifate Manager.

    The portal access will be hot name based, not IP, so you probably have to set up a host override in the Resolver :

    7f8fc253-3979-4720-b504-4a2ef7a7cbef-image.png

    The host name - portal.brit-hotel-fumel.net for me - should be part of the certificate.

    I strongly advise you to see the video that shows how to use the package acme. It will obtain a free certificate from LetsEncrypt for you, and install a new one when it expires.

    I'm using the captive portal with "https" access for years now. It's all automatized.

    Btw : make your live easy : run the portal on a dedicated network, not the LAN network.

    @Bashlory said in Requesting Assistance with Certificates:

    I would just like to ask where I can attain or license a certificate from for such purposes. How are they normally acquired?

    You're kidding, right ? How to obtain a certificate ?



  • Thank you for your reply.

    I am currently testing it all with a very simple setup as follows: Modem connected to a Netgate SG1100, connected to the AP.

    I have a domain and will look there for obtaining the certificates, thank you!

    What is the most optimal setup for having a pfsense portal, with multiple AP (~20).

    Thanks in advance, appreciate the help!



  • @Bashlory said in Requesting Assistance with Certificates:

    What is the most optimal setup for having a pfsense portal, with multiple AP (~20).

    With having only that line as a description ?!
    Easy ! : a big 24 port switch, and hook all AP's together to port OPT1 - the untrusted network - , keep LAN as your, trusted network to administer the whole thing on site.
    That's how my visitor's captive portal works, using 5 AP's, for many years now.



  • Thanks again for the reply!

    Great, I will work on setting up the certificates for now.

    Would you happen to know if this is some how also the root cause of the captive portal not preventing access on mobile devices? It appears to successfully block access for OS X and Windows, while mobile devices can bypass without issues.

    Thanks for the help!



  • @Bashlory said in Requesting Assistance with Certificates:

    It appears to successfully block access for OS X and Windows

    Appears ? It does, or doesn't.

    @Bashlory said in Requesting Assistance with Certificates:

    OS X and Window

    These are cables up - using RJ45 etc, or wifi connected (using the AP) ?

    @Bashlory said in Requesting Assistance with Certificates:

    while mobile devices can bypass without issues

    Known issue. The AP should be in AP mode. It's firewall/router/DHCP/DNS facilities should be stopped. The AP must become a bridge that bridged radio signals to electrical (wire) signals. Nothing more.
    Yours is probably still routing. That creates a situation where things seem top work, but soooo broken.


Log in to reply