pfSense provides a variety of functions such as a Firewall, DHCP server, various types of VPN server, and can also act as a rootCA. A related feature it cannot currently do but other similar products can (e.g. Cisco ASA servers) is act as a SCEP server.
(This is likely to be teaching Grandma to suck eggs, but SCEP stands for Self Certificate Enrolment Protocol and was invented by Cisco for exactly this sort of situation.)
SCEP would allow a client to automatically obtain a client certificate which could then be used to make an authenticated connection to pfSense via VPN instead of using a PSK (pre-shared-key). This would save having to manually generate lots of user certificates for VPN users. pfSense would still be able to revoke certificates as needed.
As pfSense uses various open-source tools, you could use a similar open-source SCEP implementation. Here is an example http://code.google.com/p/jscep/