Easyrsa for pfSense

From pfSense Documentation
Jump to: navigation, search
This article is part of the How-To series.
Important30.png WARNING Important30.png
This method is not necessary on any currently supported version of pfSense!

These instructions remain to accommodate those who have upgraded and have not yet phased out the use of these older certificate structures.

Certificate management is built into the GUI on current versions, found under System > Cert Manager, so manually maintaining certificates in the shell is no longer required and is very cumbersome, and also does not work with the OpenVPN Client Export Package.

This method will still work to create certificates, but it is not recommended.

If certificates were created this way, they may be imported into the GUI on 2.0 and later and managed there instead.

pfSense 1.2.x

The easy-rsa mechanism may be used on pfSense to generate OpenVPN keys.

WARNING: This may not be the ideal situation for deploying a PKI. If the OpenVPN server is compromised, the entire PKI will be compromised. This is typically of very little concern, as access to the firewall is highly restricted, and in most networks it's likely the most secure and least accessible device on the network.

NOTE: On NanoBSD installs the disk must be remounted read/write before performing these instructions. To do so, run:

/etc/rc.conf_mount_rw

Install

Run the following from an SSH session:

fetch -o - http://files.pfsense.org/misc/easyrsa-setup.txt | /bin/sh

This will download the files, extract them, and remove the downloaded file. After doing this, prompt will show to run the next step manually. Copy and paste the last line displayed to generate certificates (NOTE: If process was performed previously, repeating this will wipe out all existing certificates!)

cd /root/easyrsa4pfsense && ./PFSENSE_RUN_ME_FIRST

This will first prompt for the location and organization information to be used when generating the certificate authority and initial certificates, and as defaults when creating additional certificates in the future. It will then create a certificate authority, a server certificate, and one client certificate. These files can be found in the /root/easyrsa4pfsense/keys/ directory.

If prompt for a challenge password is presented, it is typically left it blank. Press enter at the challenge password prompt, and again on the confirm prompt.

Creating a client key

To create a new client key, SSH into the firewall, choose option 8 and run:

cd /root/easyrsa4pfsense
source vars
./build-key clientXXXX

Where clientXXXX is the name of the client.

The client's keys are saved in /root/easyrsa4pfsense/keys/

Creating a password protected client key

To create a new client key with password protection:

cd /root/easyrsa4pfsense
source vars
./build-key-pass clientXXXX

Where clientXXXX is the name of the client.

The client's keys are saved in /root/easyrsa4pfsense/keys/

Revoke a client key

To revoke the key for client1:

cd /root/easyrsa4pfsense/
source vars
./revoke-full client1

Which will update the crl.pem file, the contents of which need to go into the pfSense OpenVPN GUI in the CRL field.