Using 3rd Party CA for OpenVpn (e.g. GoDaddy)
I've read countless forum posts and blogs on the net that explain how to use OpenVPN to create a CA, Keys, DH etc. for PFsense's OpenVPN implementation. Do you have to use self-signed certificates or can you use one from a 3rd Party Root CA like GoDaddy. I have generated a rsa key (2048) then I create a request from that key in .PEM format. I request my CA (GoDaddy) to sign this request and it works of course. I then get emailed a *.crt which I can use on for my HTTP connection (with my private key pasted in as well) and all is good. (BTW I also get this bundle file but I'm not sure what this is for?) However, I want to use this signed certificate for my OpenVPN but one of the fields is DH parameters. How do I generate this if I don't use EasyRSA with self-signed certs?
You can use those certs, it's fine. The only downside might be that you can't make your own CRL in case you want to revoke your own certs later on, but they may have a way to do this as well.
DH parameters are just an extra bit of randomness (to keep it simple) and are not tied to the CA or Certs in any way.
If you just want to make, say, a DH parameter string of 1024 bits, you can just go to Diagnostics > Command and enter:
/usr/bin/openssl dhparam 1024
Then copy and paste the whole "–---BEGIN DH PARAMETERS----- ... -----END DH PARAMETERS-----" part into the DH parameters box.
Got it.. Thanks for clearing that up. I finally got everything working with PKI. PFSense rocks..