I was able to get step-ca setup on a VM within my network. I gone to each of my servers and installed my root certificates fingerprint. I want to now use this CA on my pfSense for the webGUI and for my OpenVPN connections.
How do install my root CA’s fingerprint as trusted within my pfSense? It seems like the GUI doesn’t offer this option. Can I just do this within pfSense’s command line with some FreeBSD utility?
Am I doing this in the right order?
install fingerprint on pfSense
then upload external certificate into the webGUI.
I plan to establish step-ca as a certificate authority in my home lab, which currently includes a Netgate firewall. I’m avoiding a reverse proxy and the Let’s Encrypt setup. I want to integrate step-ca with OpenVPN as this will be my only access to the network. The complexity of this project has led to some procrastination on my part. I have found a bunch of step-ca guides that also include using a Yubi-key, which I’m not planning on doing.
Can anyone recommend resources or tips for configuring step-ca with pfSense, including getting the DNS setup?
Do I need to setup an internal DNS server first?
Thinking about going with this one instead.
I would appreciate any articles that can help me get started.
I think you can just import the CA’s cert into pfSense and use it. You could go a step further and create an intermediate cert that lets pfSense sign new certs for you if you want to make use of user certs and the OpenVPN client exporter. That would put the root of trust with your external CA while still allowing the convenience of managing user-facing certificates from the pfSense UI.
I uploaded and installed my CA fingerprint to each of my servers and my PC.
I requested certificates from my CA for each of my services and configured each service to use them.
Firefox is now showing the locked icon whenever I access each of my web servers through my browser.
I want to use this same step-ca server for my pfSense webGUI and OpenVPN.
Inside the webGUI i don’t see anywhere to import my external CA’s thumbprint. It only asks for certificate data.
step-ca requires step CLI to work properly. Can I log into my pfsense through SSH and install step as a package? Will this mess with any other services?
Can I just install the CA’s fingerprint with some other internal FreeBSD tool so I can then upload my certificates in the GUI as usual?
The fingerprint is just a hash of the certificate for identification purposes. If you want to make actual use of the CA, you’ll have to provide that data. You should be able to just cat that data out from your CA and copy/paste it in.
My current understanding of setting up certificate authentication is as follows:
Certificate Authority generates the root certificate
Root certificate or Root fingerprint needs to be upload and installed on each individual server that trusts the CA
Each server then needs to be issued a certificate from the CA.
Each service within the server needs to be configured to use that certificate issued by the CA.
After this if you have the root fingerprint or root certificate installed on your client you will trust all certificates issued by the CA.
Is this correct?
What is the difference between a root certificate and a root fingerprint? Can I paste my CA’s root fingerprint directly into the ‘certificate data’ field? Then just upload a certificate that my CA issues into pfSense.
How should I handle Certificate Signing Requests in pfSense? After generating a CSR in pfSense, what is the correct process to get it signed by my private CA and correctly installed?
Is having a certificate signed equivalent to being issued a certificate by the CA?
You’ve pretty much got it, except for point 5 (and the fingerprint bit of point 2 (unless step-ca uses the term in a way in which I’m not familiar).
Typically a fingerprint is a hash of a value that’s used to verify that the value hasn’t changed. So, for example, you could save the fingerprint of any TLS certificate and compare it to the one that a site gives you to make sure the cert hasn’t changed. There are browser extensions that do this. So unless step-ca uses the terminology differently than the standard meaning, the fingerprint doesn’t help you in this instance.
I’m not familiar with step-ca specifically, but it should save the certificates somewhere that you can export. I think what I’d try to do is to create an intermediate CA certificate and import that into pfSense. You do that in pfSense under System > Certificates > Authorities. Click Add and choose Import an Existing Certificate Authority as the method. Then paste the certificate and key data into the fields there.
That would let you create new certificates in pfSense and sign them with the intermediate CA. Because your clients trust your CA’s root, they will trust certs signed by the intermediate as well.
thank you for taking the time to respond and looking at the documentation.
I found my misconception with the fingerprint. After setting up your step-ca server in order to request the CA’s root certificate you need to use the step command along with the CA fingerprint to have the certs transferred over.
Certificate Authority generates the root certificate
Root certificate is uploaded and installed on each individual server that trusts the CA
Each server then needs to be issued a certificate from the CA.
Each service within the server needs to be configured to use that certificate issued by the CA.
If you have the root certificate installed on your client you will trust all certificates issued by the CA.
I’ll try setting up the intermediate CA and see how that goes. Thanks!
So the certificate data means the root certificate of the CA (root_ca.crt) and the key will allow pfSense to create certificates with the intermediate CA certs?
