PfSense CA signing external CSR
Hi, i want to use pfSense CA in my network as a main CA in my network to issue certs. One thing that is missing is the ability of pfSense CA to sign externally generated certificate signing requests (CSR). I know, i can export CA and do the signing elsewhere, but i am wondering why is this natural ability missing directly in pfSense.
thanks for the answers
ps: i tried to search for this or related answers, but found none really.
A bump. Does anybody know the answer? It seems to be an obvious thing, yet it is missing.
just curious but did you try openssl command from the command line?
command line is a good option, but where is the certificate and key? example?
Bumping this as well. I would like to be able to sign a CSR using my pfSense machine as the CA. Can't do it from the webconsole and I cant find the ca.key and ca.crt files on the machine to sign using openssl via a command prompt.
I would also like to sign a CSR request with my CA on the pfsense box using the webinterface. Normally i have CSRs in PEM/Base64 encoding (text based).
waking up this topic… I am having this same problem. Specifically, a web-based interface for a security camera. It does not allow me to upload my own private key, but it will create a CSR for me to sign. It looks like pfsense keeps the CA certificate and key in a configuration file (/cf/conf/config.xml) and not in files, making the command line option difficult.
Specifically, a web-based interface for a security camera. It does not allow me to upload my own private key, but it will create a CSR for me to sign.
Just in case you were talking about Axis, you can upload anything you want via FTP.
Old thread, but for anyone still looking for how to use pfSense to sign external requests, the article at
shows how using the openssl command from pfSense's command line.
Signing a CSR can be performed in the GUI on 2.4: https://redmine.pfsense.org/issues/7383
How soon till it is GA? 2.4 is still (Highly Experimental)
I just tested the latest 2.4.0 build and it does not seem to work with a CSR that has been generated on a separate system also there is no option to choose server or user signing. To solve my issue I:
1. Created the server certificate on PFSense (make sure it is set to server cert, the default is user cert)
2. Exported the new cert
3. Exported the new Key
4. Moved them to my JBOSS server
5. Converted they two to a PKCS12 (openssl)
6. Converted the P12 file to my keystore (Keytool)
mv /home/ncadmin/par.local.enms.net\ (1).crt ./par.crt
mv /home/ncadmin/par.local.enms.net\ (1).key ./par.key
openssl pkcs12 -export -in par.crt -inkey par.key -out par.p12 -name par_na_crt -CAfile RootCA-Pfsense.crt -caname root
keytool -importkeystore -deststorepass chgme -destkeypass chgme -destkeystore truecontrol.keystore -srckeystore par.p12 -srcstoretype PKCS12 -srcstorepass chgme -alias my_alias