Windows and Unix/Linux are still two
different worlds. Also when it comes to certificates. This article will explain
the steps needed to utilize a Windows certificate on a pfSense server. Vital is
to realize you will need to have access to the certificate with the private key
included. Furthermore the certificate must be created with the allow private key
to be exported option on. Otherwise it is not possible to export your
certificate to pfSense.
You can now use this certificate in pfSense for i.e. access to the admin
webUI, the Captive Portal login page or any of the other parts that make use of
The OpenSSL tool can now be uninstalled again from your machine using the
conventional Uninstall a program option in Control Panel of Windows.
Last but not least, in order for your clients to be able to connect to your pfSense wifi portal without receiving an ugly "there's something wrong with your SSL certificate" warning in their browser, make sure to add all the Certificate Revocation List (CRL) urls registered in your certificate to the Allowed Hostnames section of the pfSense captive portal as shown below. This makes it possible for the browser on the connecting client device to connect to the IP addresses to which these hostnames resolve without being blocked by the pfSense captive portal login page to verify if the used SSL certificate is still valid. Once it can verify this, and the certificate is still valid, the client will not see the warning notification in its browser anymore when connecting.
If you are unfamiliar with how to retrieve the correct CRL and OCSP paths from your certificate, just browse to your site secured with the certificate (i.e. the captive portal) and have your internet browser display the certificate details. The below screenshot shows a sample on how to do this using FireFox, but it can be done with any browser in somewhat similar steps.
If you want to import the root authority certificate as well to pfSense, use the following openssl command to conver the .cer of your root CA to its .pem equivallent:
openssl x509 -inform der -in certificate.cer -out certificate.pem
Open this certificate.pem file in notepad++ again, copy its contents into the Certificate data field. There is no private key that you need to copy over this time.