Feature #4606


PKI : CA signing external CSR

Added by Matthieu Bouthors over 6 years ago. Updated over 4 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Release Notes:


I like the internal CA included with pfsense.
I would like to use it to also sign certificates for my servers.
I would like to import the Certificat Signing Request (CSR) generated on a server and use pfsense CA to generate the server certificate.

Other people did request this feature on the forum, example :

I don't know if there is a command line to do it already.


Actions #1

Updated by Chris Buechler almost 6 years ago

  • Category set to Certificates
Actions #2

Updated by Bruce Simpson over 5 years ago

+1 for this feature -- it's pretty much essential for implementing PKI across an infrastructure.

So I wanted to enrol an HPE 1920 workgroup switch in pfSense's CA today. I was unable to do this with the GUI. The device would not accept a pre-issued server certificate, but it would generate CSRs.

Whilst I was able to use openssl(1) from the command line to do this, it required spoofing the demoCA/ tree which the default OpenSSL config wants.

Also, the CA certificate and key are bound up in the config.xml. There is no direct way to expose them unless you have OpenVPN running, in which case they will be unpacked for its use.

The upside of doing thing this way is it is slightly more secure in one way -- the private key never leaves the external device.

The downside of doing things this way is that it breaks the PKI -- the certificate will be issued with a serial number which pfSense is unaware of, and its internal CA will also be unaware of the certificate.

Actions #3

Updated by Curtis Ruck over 5 years ago

+1. Some applications will generate a new private key internally, and only export the CSR, these applications do this to protect the private key, as trying to export pfsense generated & signed certificates leads to the private key existing in too many places (Even temporarily) for it to be securely used.

Actions #4

Updated by Peter Bosgraaf about 5 years ago

+1, would love to be able to sign external CSRs from within pfSense. (For both certificates and intermediate-CAs)

Actions #5

Updated by Ian Gallagher almost 5 years ago

+1 - I would very much like the ability to use the pfSense managed CA for signing my other internal CSRs within my network.

Actions #6

Updated by Andy Sayler almost 5 years ago

I'd also love to see this functionality. Many Ubiquiti devices only support outputting a CSR instead of importing a key, make them hard to use with the pfSense CA.

Actions #7

Updated by Tech Synedra over 4 years ago

+1 for that rather basic feature!

it should be easy to implement, there is already a similar package, that handles with similar tasks:
OpenVPN Client Export

This one handles Certificates and Keys on a commandline basis.

Here are the necessary steps to sign a CSR on an pfSense:

basically i know how to handle the request on the command line, but it would be great to have it done via the UI of pfSense.

Actions #8

Updated by Tech Synedra over 4 years ago

i see now, there might be another problem.

currently pfsense cannot handle certificates w/o a private key - so there is no way to use an external created certificate.

Actions #9

Updated by Jim Pingle over 4 years ago

  • Status changed from New to Duplicate

Superseded by #7383


Also available in: Atom PDF