Multiple Peer Certificate Authorities



  • I change our CA for our OpenVPN Clients. We manage our PKI outside of PfSense and import the Certificates through the Cert Manager. To migrate the Clients step by step i like OpenVPN to accept Clients with Certificates from multiple Certificate Authorities. This is supported by OpenVPN through concatenated PEMs in a File which is referenced by the ca Config Option.

    At the Webinterface of pfSense only a Drop-Down List at Peer Certificate Authority is available.

    I patched vpn_openvpn_server.php and openvpn.inc to not overwrite the ca File.

    It would be nice, if the Webinterface of pfSense supports multiple Peer Certificate Authorities.

    I search at redmine, but can not find such a feature Request.


  • Rebel Alliance Developer Netgate

    Export both CAs certs, then import them as a new single CA with both PEMs included in the import box.

    –- begin blahblah ---
    blahblah
    --- end blahblah ---
    --- begin blahblah ---
    blahblah
    --- end blahblah ---



  • Too easy  ;)

    Tested and fine.

    Could this be documented in the Wiki?