PFSense setup in a two tier pki?

Computer Hardware & Server Infrastructure Builds
1

Hello,

Curious if it makes sense (or possible) to setup a two tier pki with pfsense with one as an offline root and the other online as subordinate/issuing. Main purpose would securing internal sites, and LDAP binds.

Our current setup includes an unlicensed windows ca with nps also installed alongside, neither of which appear to be configured or issuing certs.

We also have a Sophos SG230 utm that if possible could be brought into the hierarchy. It’s currently issuing user certificates for the SSL VPN and the certificate needs to be updated for compatibility with Sophos Connect. It’s giving an error:
VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak. - because of this we’re still using the Sophos SSL VPN (Traffic Light) client.

Open to suggestions and any help appreciated.

Thanks,
Andrew

2

If this is a windows environment then your best option is to configure your certificate server properly. otherwise I think you will have a bigger headache long term.

3

Even as a single tier? I’ve seen it implemented as such but not sure if that’s considered a good practice or if licensing justifies the cost in the smb.