Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to accept self signed certificates from pfSense in Firefox

    Scheduled Pinned Locked Moved General pfSense Questions
    2 Posts 2 Posters 4.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      newbie1975
      last edited by

      Before locking yourself out of your server temporary enable SSH.

      The standard server certificate for the webgui of pfSense (webConfigurator default) is self signed. This will not work. This can easily be fixed, but I didn’t find a simple description which covers all aspects in one description, there I created this tutorial.

      1. If you do not already have an internal CA, you need to add one first in the menu “System – Certificate Manager – CAs”. After creating this CA, you need to export this CA to your local hard-drive.

      2. A new server certificate for the webgui needs to be added in the “System – Certificate Manager – Certificates” menu. This new server certificate needs to be issued by the internal pfSense CA (created in previous step or already available if you made an internal pfSense CA before). Make sure to add this certificate with the option “Server Certificate” under “Certificate Type” and do not choose “User Certificate”, otherwise Firefox will complain with the message “sec_error_inadequate_cert_type”. For the option “Alternate names” when adding this new server certifcate provide your IP of your pfSense server and FQDN (default is: pfsense.localdomain).

      3. Change your SLL/TLS Certificate under “System – Advanced – Admin Access” to your new created pfSense server certificate and save your changes. PfSense will most likely reload the pfSense webgui after 20 seconds and fail. First you need to execute step 4.

      4. For Firefox to trust the Certificate Autority (CA) of pfSense you need to change two items:
        – Enable “security.enterprise_roots.enabled” in about:config in Firefox
        – Import your pfSense CA in Firefox under “Preferences – Privacy and Security – View Certificates – Tab Authorities – Import”

      5. Now delete cookies, etc., close your browser and navigate to your pfSense server by IP. Firefox will now immediately accept the pfSense as enterprise CA and also accepts the pfSense server certificate issued by your pfSense CA. If you now click on the slot in your address bar you will see the notification: “Connection verified by a certificate issuer that is not recognized by Mozilla”.

      6. If everything is working fine, do not forget to disable SSH. Now enjoy now having to accept the exeception everything you are login in to your pfSense server :-)

      If you want to make it more resilient you could also create an intermediate Certificate Authority (issued by your internal pfSense CA) to be used as issuer to create your pfSense server certificate. Do this after step 1 (above) and before step 2) above. This way you can protect you CA by only using it on your pfSense machine.

      Links:
      https://wiki.mozilla.org/CA/AddRootToFirefox
      https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox
      https://www.ceos3c.com/pfsense/pfsense-generate-ssl-certificate-https-pfsense/

      1 Reply Last reply Reply Quote 1
      • S
        skyhon
        last edited by

        Thanks so much! I've been trying to solve this problem for weeks. Tried to follow other tutorials, but for some reason, they didn't work. Found this and works like a charm. Thanks again.

        1 Reply Last reply Reply Quote 0
        • S SteveITS referenced this topic on
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.