Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Exporting certs to Windows machines

    Scheduled Pinned Locked Moved ACME
    3 Posts 2 Posters 877 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tlex
      last edited by

      Good day,

      I'm sure there is a better way for doing this but so far this is the easiest way I've found and I'm looking for your input if you have better ideas...

      I run PfSense with ACME / Godaddy / LetsEncrypt to do a wildcard cert that I use pretty much everywhere on my internal network. For Linux machines on the network, I push the newly updated cert using scp from PfSense (ACME action lists). I'm not super fan of this since I would prefere the linux hosts to pull it from time to time but I will figure that after. My main concern is with the Windows machines on the network.
      I'm using the cert to secure rdp sessions but that needs a pfx cert and then specify the cert thumbprint for the terminal service(SSLCertificateSHA1Hash).
      The way I'm doing this at the moment is as follow :

      --) ACME is configured to Write ACME certificates to /conf/acme/

      1. ACME update certs on PfSense
      2. ACME action list : openssl pkcs12 to generate the pfx on the PfSense box
      3. ACME action list : makes a copy of the cert from /conf/ACME to /usr/local/www (I know this is not cool)
      4. Windows clients pulls the pfx cert from the PfSense webserver using a local powershell script that runs from a scheduled task daily.

      My goal is to make a process as smooth as possible for the Windows machines to get an updated cert when it gets renewed. And ideally access the Pfsense certs in an other way that putting them in /www. I tried SCP without success because it keeps asking for fingerprint or fails with connectivity issue (I just can't make it work :( )

      I also tried to adapt that script but that also failed when I tried to rebuilt the pfx on the windows machines :
      https://ictguru.nl/wac-acme-pfsense-ictguru-freenas-pfx-certificates-windows-admin-center-ictguru-ict-guru/

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @tlex
        last edited by Gertjan

        @tlex said in Exporting certs to Windows machines:

        ACME action list : openssl pkcs12 to generate the pfx on the PfSense box
        ACME action list : makes a copy of the cert from /conf/ACME to /usr/local/www (I know this is not cool)

        Set 2 and 3 :
        Why not : Go to System > Certificate Manager > Certificates and hit the
        e72e769d-fa61-4dc9-9c7d-6e10d404e73a-image.png
        symbol.
        This will have you download a p12 certificate.

        edit : maybe not perfect for you , so :

        @tlex said in Exporting certs to Windows machines:

        using a local powershell script that runs from a scheduled task daily.

        powershell can also use remote SSH login.
        You can grab the P12 cert from wherever it is, like /conf/ACME.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        T 1 Reply Last reply Reply Quote 0
        • T
          tlex @Gertjan
          last edited by

          @gertjan Well thats the thing... I used to do it that way but what I'm trying to do is to automate the new cert propagation on the network to avoid having to go manually everywhere every 90 days when acme update the certs with letsencrypt...

          1 Reply Last reply Reply Quote 0
          • jimpJ jimp moved this topic from General pfSense Questions on
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.