Client private key with external CA (why?)
I use external CA to enroll clients' and server's certificates. No problems with that. But I got confused after some period of using OpenVPN. When I import clients' certificates in pfSense, "Private key data" field is required to be filled. But it's not required for CA certificate (fortunately). So I created 2 users and added them certificates with the same "Certificate data". But for the first user's certificate I input correct key in "Private key data" field, and for the second user I just input a space symbol (or whatever you want, even it says it must be in PEM format). Both certificates were imported successfully and there is no wonder that both users could successfully connect to OpenVPN server with the same client's configuration on their side.
May be I misunderstand something, but there is no need for pfSense to keep clients' private keys if it uses external CA. OpenVPN server doesn't use clients' private keys anyway, does it? To my point of view it's also a security risk. Or there is just missing info in web GUI, because pfSense doesn't know what usage of importing certificate is?
Explain, please, am I right?
Version: 2.2.4-RELEASE (amd64) built on Sat Jul 25 19:57:37 CDT 2015 FreeBSD 10.1-RELEASE-p15
You don't import client certs at all unless you're using the entirety of the certificate. That's for using the cert with OpenVPN or IPsec, only in contexts where you must have the key to use the cert. You never import any client certificates when using an external CA, unless maybe you want to use OpenVPN Client Export (in which case the key is required).
There's no use case for the certificate manager with a user or server cert with no key, which is why it's required.
Oh, now it's clear for me. Thanks for explanation.