SSL Certificate chain



  • Hi all,

    I'm having some trouble configuring a signed SSL certificate for the pfsense webconfigurator. The certificate chain is not recognized.

    Here's what i've done.

    I'm using a two tier Windows CA (Root CA -> Intermediate CA). First, I imported both CA certificated into PfSense. PfSense recognizes the RootCA's issuer as self-signed, which is correct. It also recognizes the RootCA as being the issuer of the intermediate CA's certificate.
    Next, I created a CSR through the webconfigurator GUI, copied the CSR and signed it by the intermediate CA. I exported the certificate chain (BASE64, p7b), removed the Windows linebreaks and converted the p7b file to a crt (openssl pkcs7 -print_certs -in lp-pfsense-01.p7b -out lp-pfsense-01.crt). Finally, I copied the contents of the CRT file (which includes the pfsense CRT and both CA CRT's in the following order: PfSense -> Intermediate CA -> RootCA). Although I think I followed the correct procedure, the Issuer of the certificate is marked as external. When I use the certificate for the webconfigurator, Chrome and Safari are complaining my connection is not safe. When I lookup the certificate information in Chrome, it does say it's signed by the intermediate CA, but it doesn't show me the chain up to the Root CA.

    BTW, I also checked the validity of the certificate through openssl (openssl verify -x509_strict -CAfile wp-pki-02.crt lp-pfsense-01.crt) and it tells me the certificate is valid, so I'm guessing PfSense is the problem here.

    Is there anyone of you guys that can help me out with this issue? Thanks in advance!


  • LAYER 8 Netgate

    The operating system doesn't care if the certificate chain is presented or not.  What it cares about is whether the chain is anchored by a certificate in its trusted root store.

    You will have to export the CA certificate you created in pfSense and tell your operating system to trust it to sign certificates.  This will have to be done on every host you wish to not throw errors.  In the operating system and in Firefox.  (I think Chrome uses the operating system certificate store.)



  • But I don't want to use PfSense as a root CA. As I said, I'm using another root and intermediate CA. Of course, i've installed the root CA's certificate into my computer's local trusted root store.

    I'm also running a bunch of nginx webservers to which i've applied the same concept. All those web application's certificate chains are recognized by my browser. PfSense is the only one my system is complaining about..


  • LAYER 8 Netgate

    I use startssl for my pfSense certs.  The root is trusted by all major browsers.  I import the Class 1 intermediate cert into CAs and the issued certificate in Certificates then tell webConfigurator to use the issued cert.  It all just works.

    I would delete what you have done then reinstall the end certificate pasting in JUST the issued cert, no CAs.

    pfSense should automatically see that it was issued by the intermediate and see that the intermediate was issued by the root.

    You should also be able to safely delete the root cert from pfSense.  If that is trusted by the end browser it's already and there's no reason to have it on pfSense.


Log in to reply