PFSense setup in a two tier pki?


Curious if it makes sense (or possible) to setup a two tier pki with pfsense with one as an offline root and the other online as subordinate/issuing. Main purpose would securing internal sites, and LDAP binds.

Our current setup includes an unlicensed windows ca with nps also installed alongside, neither of which appear to be configured or issuing certs.

We also have a Sophos SG230 utm that if possible could be brought into the hierarchy. It’s currently issuing user certificates for the SSL VPN and the certificate needs to be updated for compatibility with Sophos Connect. It’s giving an error:
VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak. - because of this we’re still using the Sophos SSL VPN (Traffic Light) client.

Open to suggestions and any help appreciated.


If this is a windows environment then your best option is to configure your certificate server properly. otherwise I think you will have a bigger headache long term.

Even as a single tier? I’ve seen it implemented as such but not sure if that’s considered a good practice or if licensing justifies the cost in the smb.

We started setting up a 2-tier ADCS in our lab environment recently using the following guide:

Deploying A Multi-Tier PKI (Public Key Infrastructure) Inside an Active Directory Domain Using ADCS

Around the 30 minute mark the CRL and AIA are published to and

Should this information be published to external/publicly available location. Just want to confirm if that’s the case or should it be published to an intranet site or a site on a DMZ?

Another side question I have is could we also use our internal pki to secure remote access if for some reason the application did not support automatic renewals through ACME/Let’s Encrypt?