Pfsense as an intermediate CA to ADCS for use with OpenVPN and Radius
-
Hey All,
I have an ADCS and NPS roles runiing on Windows Server 2016 VM's. I want to add my ADCS CA to pfsense, then make pfsense an intermediate CA to the ADCS CA, export the pfsense ca cert and import into ADCS CA then delete the imported ADSCA. The goal is to issue openvpn certs, use radius for user auth and machine auth (which I am doing on workstations both wired and wiresless now. Anyone have a step by step?
-
So the purpose of this is to issue certs from ADCS that can be authenticated in pfSense without needing the CA cert in pfSense?
And you are already using the the server but only for user auth?Steve
-
Yes.. That sounds correct. I am having difficulty importing the ca cert key and the private key for the adcs ca. I either get a message that pfsense cannot import an encrypted private key (that is if I give the private key and password on export) or that the private key is invalid if I export without a password. So I am stuck.
Thanks for the reply!
-
You shouldn't need to import the CA cert key. You only need that to generate user certs from the CA and I assume you're doing that in ADCS?
pfSense only needs to authenticate the clients against the CA cert. Or am I misreading this?
Steve
-
In my case, I had ADCS sign and issue a subordinate CA certificate, to be used on pfSense, using a custom version of the ADCS Subordinate Certification Authority template. I only have the public key part of the ADCS CA loaded into pfSense, but have the private and public keys for the subordinate CA loaded into pfSense, from where it can generate certificates without needing to load my root CA's keys.
My ADCS is actually itself a subordinate CA for a root CA that's kept offline.
-
@stephenw10
Currently, my adcs ca is only issuing machine certs for ad joined pc's for 802.1x wireless and wired auth. I want openvpn to use certs for user auth against AD.. So I suppose I generate the certs as you said but for the openvpn server, i just point it to the adcs ca server.. I guess I was overthinking this ay?Chris
-
I've never used ADCS so I could easily be overlooking something! But if you're not generating certs for users in pfSense you don't need to import a private CA cert key.
Steve