How to accept self signed certificates from pfSense in Firefox
Before locking yourself out of your server temporary enable SSH.
The standard server certificate for the webgui of pfSense (webConfigurator default) is self signed. This will not work. This can easily be fixed, but I didn’t find a simple description which covers all aspects in one description, there I created this tutorial.
If you do not already have an internal CA, you need to add one first in the menu “System – Certificate Manager – CAs”. After creating this CA, you need to export this CA to your local hard-drive.
A new server certificate for the webgui needs to be added in the “System – Certificate Manager – Certificates” menu. This new server certificate needs to be issued by the internal pfSense CA (created in previous step or already available if you made an internal pfSense CA before). Make sure to add this certificate with the option “Server Certificate” under “Certificate Type” and do not choose “User Certificate”, otherwise Firefox will complain with the message “sec_error_inadequate_cert_type”. For the option “Alternate names” when adding this new server certifcate provide your IP of your pfSense server and FQDN (default is: pfsense.localdomain).
Change your SLL/TLS Certificate under “System – Advanced – Admin Access” to your new created pfSense server certificate and save your changes. PfSense will most likely reload the pfSense webgui after 20 seconds and fail. First you need to execute step 4.
For Firefox to trust the Certificate Autority (CA) of pfSense you need to change two items:
– Enable “security.enterprise_roots.enabled” in about:config in Firefox
– Import your pfSense CA in Firefox under “Preferences – Privacy and Security – View Certificates – Tab Authorities – Import”
Now delete cookies, etc., close your browser and navigate to your pfSense server by IP. Firefox will now immediately accept the pfSense as enterprise CA and also accepts the pfSense server certificate issued by your pfSense CA. If you now click on the slot in your address bar you will see the notification: “Connection verified by a certificate issuer that is not recognized by Mozilla”.
If everything is working fine, do not forget to disable SSH. Now enjoy now having to accept the exeception everything you are login in to your pfSense server :-)
If you want to make it more resilient you could also create an intermediate Certificate Authority (issued by your internal pfSense CA) to be used as issuer to create your pfSense server certificate. Do this after step 1 (above) and before step 2) above. This way you can protect you CA by only using it on your pfSense machine.