Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense as an intermediate CA to ADCS for use with OpenVPN and Radius

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 3 Posters 1.6k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      aclouden
      last edited by

      Hey All,

      I have an ADCS and NPS roles runiing on Windows Server 2016 VM's. I want to add my ADCS CA to pfsense, then make pfsense an intermediate CA to the ADCS CA, export the pfsense ca cert and import into ADCS CA then delete the imported ADSCA. The goal is to issue openvpn certs, use radius for user auth and machine auth (which I am doing on workstations both wired and wiresless now. Anyone have a step by step?

      1 Reply Last reply Reply Quote 0
      • stephenw10S Offline
        stephenw10 Netgate Administrator
        last edited by

        So the purpose of this is to issue certs from ADCS that can be authenticated in pfSense without needing the CA cert in pfSense?
        And you are already using the the server but only for user auth?

        Steve

        A 1 Reply Last reply Reply Quote 0
        • A Offline
          aclouden @stephenw10
          last edited by aclouden

          Yes.. That sounds correct. I am having difficulty importing the ca cert key and the private key for the adcs ca. I either get a message that pfsense cannot import an encrypted private key (that is if I give the private key and password on export) or that the private key is invalid if I export without a password. So I am stuck.

          Thanks for the reply!

          1 Reply Last reply Reply Quote 0
          • stephenw10S Offline
            stephenw10 Netgate Administrator
            last edited by

            You shouldn't need to import the CA cert key. You only need that to generate user certs from the CA and I assume you're doing that in ADCS?

            pfSense only needs to authenticate the clients against the CA cert. Or am I misreading this?

            Steve

            A 1 Reply Last reply Reply Quote 0
            • A Offline
              andrew_241
              last edited by

              In my case, I had ADCS sign and issue a subordinate CA certificate, to be used on pfSense, using a custom version of the ADCS Subordinate Certification Authority template. I only have the public key part of the ADCS CA loaded into pfSense, but have the private and public keys for the subordinate CA loaded into pfSense, from where it can generate certificates without needing to load my root CA's keys.

              My ADCS is actually itself a subordinate CA for a root CA that's kept offline.

              1 Reply Last reply Reply Quote 0
              • A Offline
                aclouden @stephenw10
                last edited by

                @stephenw10
                Currently, my adcs ca is only issuing machine certs for ad joined pc's for 802.1x wireless and wired auth. I want openvpn to use certs for user auth against AD.. So I suppose I generate the certs as you said but for the openvpn server, i just point it to the adcs ca server.. I guess I was overthinking this ay?

                Chris

                1 Reply Last reply Reply Quote 0
                • stephenw10S Offline
                  stephenw10 Netgate Administrator
                  last edited by

                  I've never used ADCS so I could easily be overlooking something! But if you're not generating certs for users in pfSense you don't need to import a private CA cert key.

                  Steve

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.