pfSense

Any certificate generated in the certificate management interface is generated with a Netscape Cert Type extension indicating the purpose of the certificate. This extension is old and its use has been deprecated for a long time. In fact, the nsCertType extension shows up as an unknown extension as of OpenSSL v1.1. OpenVPN has also deprecated the use of this extension quite some time ago, and is soon to remove the ns-cert-type option from OpenVPN entirely.

[[https://community.openvpn.net/openvpn/wiki/DeprecatedOptions#a--ns-cert-type]]

The correct method is to set the X.509v3 Key Usage and X.509v3 Extended Key Usage fields correctly.

Accordingly, the web UI for pfSense should stop looking for the nsCertType extension to determine/display if the certificate is a client or server certificate, and set/follow the KU/EKU extensions. In OpenVPN, "remote-cert-tls" has replaced "ns-cert-type"; this checks the KU/EKU fields appropriately.

X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Server
            Netscape Comment: 
                OpenSSL Generated Server Certificate
            X509v3 Subject Key Identifier: 
                AB:77:8C:16:BA:39:51:49:14:79:F0:33:C5:A6:C6:62:4F:31:22:8D
            X509v3 Authority Key Identifier: 
                keyid:FA:D8:C3:33:05:F7:23:F7:F6:B4:19:E1:F4:0F:27:3B:66:BF:A1:FC
                DirName:/CN=Test CA/C=US
                serial:5B:1E:C6:B5:0A:5C:54:10
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, 1.3.6.1.5.5.8.2.2
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment