Generating a CSR and Installing an SSL Certificate in pfSense
Lisa AndersonShare
pfSense manages SSL Certificates entirely through its web interface, which makes it one of the friendlier platforms in this series. Everything happens in the built-in Certificate Manager, from generating the Certificate Signing Request (CSR) through to completing it with the issued SSL Certificate.
The one concept worth understanding upfront is that pfSense treats the pending request and its completion as a single object, so both halves must happen on the same firewall.
Prerequisites
You need administrator access to the pfSense web interface. The procedure below applies to current pfSense CE and pfSense Plus releases, where the Certificate Manager lives under the System menu.
Your issued SSL Certificate and the ca-bundle containing the Intermediate Certificates will be available in the tracking system once validation completes. View Our Tracking & SSL Management 🔗
Generating the Certificate Signing Request
Navigate to System, then Certificates, and open the Certificates tab. Click Add to create a new entry and set the Method to Create a Certificate Signing Request. pfSense generates the Private Key on the firewall itself at this point, which is exactly where it should stay.
Give the entry a descriptive name, choose a key type of RSA at 2048 bits or stronger, and complete the Distinguished Name fields. The Common Name must be the exact hostname the SSL Certificate will secure, and additional hostnames belong in the Alternative Names section below the main fields.
Save the entry, then click the edit icon beside it to display the generated request. Copy the full text including the begin and end markers, and submit it when placing your order. Validation then proceeds as normal. Learn About the Validation Procedure 🔗
Completing the Signing Request
Once issued, download your SSL Certificate from the tracking system and return to the Certificates tab in pfSense. The entry you created shows as a pending request with an edit option.
Open the entry, paste the full contents of the issued SSL Certificate into the Final Certificate data field, and save. The status changes from pending to a normal SSL Certificate, now paired with the Private Key that never left the firewall.
Warning : Deleting the pending request before completing it destroys the Private Key, and the issued SSL Certificate can never be paired afterward. If a pending request has been removed, create a new Certificate Signing Request (CSR) and complete a reissue rather than attempting recovery.
To complete the chain, import the Intermediate Certificates separately under the Authorities tab using the Import an existing Certificate Authority option. pfSense then serves the full chain to connecting clients. Learn About Intermediate Certificates 🔗
Importing an Existing SSL Certificate Instead
When the SSL Certificate and Private Key already exist elsewhere, skip the request process entirely. On the Certificates tab click Add, set the Method to Import an existing Certificate, and paste the SSL Certificate data and Private Key data into their respective fields.
This path suits SSL Certificates moving from another server, though generating the request on pfSense itself remains the cleaner approach for a firewall that will hold the SSL Certificate long term.
Assigning the SSL Certificate
An installed SSL Certificate does nothing until a service uses it. The web interface of pfSense is served over Transport Layer Security (TLS), so it makes a sensible first assignment. Navigate to System, then Advanced, and on the Admin Access tab select the new SSL Certificate in the SSL/TLS Certificate dropdown, then save.
Packages terminating HTTPS on the firewall, such as the HAProxy package, select their SSL Certificate within their own settings from the same shared store. Captive portal HTTPS login pages assign theirs under the portal configuration.
Verifying the Installation
Browse to the secured service and inspect the SSL Certificate in the browser. An external scan then confirms the full chain reaches fresh clients, which matters here because a missing Intermediate Certificate import produces warnings only on stricter clients. Trustico® provides free checking tools for this confirmation. Explore Our Trustico® SSL Tools 🔗
Troubleshooting Common Installation Problems
A pasted SSL Certificate that pfSense rejects as not matching usually means the wrong file was pasted, such as an Intermediate Certificate instead of the server SSL Certificate. Confirm the Common Name shown in the error against your domain.
If the request was generated on a different firewall, or regenerated after submission, the Private Key cannot pair with the issued SSL Certificate. A reissue against a fresh Certificate Signing Request (CSR) from the correct firewall resolves it. Learn About Reissuing Your SSL Certificate 🔗
Browser warnings that persist after assignment usually mean the old session is cached. Close the browser entirely and reconnect before assuming the installation failed.
Professional Installation Assistance
pfSense keeps SSL Certificate handling approachable, but firewalls running multiple HTTPS terminating packages can make the assignment step confusing.
Trustico® offers a Premium Installation service where our technicians complete the installation on your behalf. Discover Our Premium Installation Service 🔗
