Add this Certificate Authority to the Operating System Trust Store

shoulders

Hi

The official documentation says

Trust Store

Controls whether or not this CA is added to the certificate trust store on the firewall. When added to the trust store, a CA will be considered valid for all certificate operations performed by the operating system. If the firewall must contact a server using a certificate issued by a private CA, this allows such certificates to be trusted by client programs such as LDAP authentication, SMTP notifications, URL table connections, and many others.

• I don't know when I should use this. Can some one give me some scenarios and why this would be used?
• To which store does this get added, is it to remote clients? is this a certificate flag to prompt installation?

thanks

shoulders

stephenw10

You need to use it if the CA has to be used by some client on the firewall itself such as one of those listed. It adds the CA to the trust store on pfSense itself not to remote clients.
Most users would not have to use that.

Steve

shoulders

@stephenw10 When you say client, do you mean like a 3rd party package installed on pfSense?

stephenw10

Sorry I confusingly used clients twice.

I mean checking that box when importing or creating a CA does nothing for remote clients (like an OpenVPN client) that might need the CA cert later.

It allows a client application on the firewall to connect to something using that CA that would otherwise not be trusted. So for example a local LDAP server using LDAPS can be added to the firewall and be authenticated.

Steve

shoulders

@stephenw10 I will get a issue raised and get this snippet of information added to the docs.

Cheers, that sorted the issue out for me.

shoulders

https://redmine.pfsense.org/issues/14174