Last modified at 10/6/2017 1:31 AM by Koen Zomers

​​Windows and Unix/Linux are still two different worlds. Also when it comes to certificates. This article will explain the steps needed to utilize a Windows certificate on a pfSense server. Vital is to realize you will need to have access to the certificate with the private key included. Furthermore the certificate must be created with the allow private key to be exported option on. Otherwise it is not possible to export your certificate to pfSense.

  1. First you need to create a PFX export of the certificate you wish to use on pfSense. If you already have this PFX, skip right to step 17. If you don't have a PFX yet, there are many ways to export existing certificates on Windows to a PFX. I will describe one common method for this in the next few steps.
  2. On the server which contains the certificate you wish to use on pfSense, boot up a command prompt console and type mmc followed by pressing enter.

  3. Through the File menu at the top, go to Add/Remove Snap-In...

  4. Select Certificates in the list at the left and click on Add in the center of the dialog

  5. Select the Computer account and click Next

  6. Leave Local computer selected and click Finish

  7. Note that the Certificates snap-in for the local computer has now been added to the list. Click OK at the bottom to continue.

  8. Expand the tree at the left and go to Certificates (Local Computer) \ Personal \ Certificates. The certificates installed on that server will now be shown. Right click on the certificate you wish to transfer to pfSense, go to All Taks and click on Export.

  9. On the first page of the Certificate Export Wizard, simply click Next

  10. On the next page, select Yes, export the private key. If this option is not available, it means that on this server you don't have the certificate installed with the private key included or it is installed, but with the option do not allow the private key to be exported enabled. Either way, you need to get your hands on the certificate with the private key included and also with the option which allows the private key to be exported enabled before you can continue.

    Click Next at the bottom.

  11. Make sure export to PFX is selected and only the box in front of Include all certificates in the certification path if possible is checked and click Next at the bottom.

  12. Enter a password to protect your certificate with. This screenshot is taken from a Windows Server 2012 machine. On previous Windows versions it looks slightly different, but the idea is the same.
    Click Next after having entered a password.

  13. Enter the path where you want to store your certificate to and click Next to continue.

  14. Click Finish to start the certificate export process.

  15. After a few seconds, it should show a confirmation box notifying you that the certificate was successfuly exported. Dismiss the dialog by clicking OK.

  16. You should now be able to find the PFX with the certificate on the location you specified at step 13. Copy it to your local machine.

  17. In order to transform the PFX certificate to the X. 509 PEM format used by pfSense, we're going to use the free open source OpenSSL application. The Win32 OpenSSL Light edition will be sufficient for this purpose. You can download it at the OpenSSL website or download it from my mirror (2 MB).

    Install the application by next-next-finish-ing through the installer process.
  18. Copy the PFX with the certificate into the OpenSSL installation path which is C:\OpenSSL-Win32 by default.
  19. Open a command prompt console and navigate to the BIN subfolder in the OpenSSL installation directory (C:\OpenSSL-Win32\bin by default). Once there, execute the following command:

    openssl pkcs12 -in <path to your PFX> -out ..\certificate.pem -nodes
    Enter the certificate password you assigned at step 12 when asked for the import password.

  20. Check the OpenSSL installation folder (C:\OpenSSL-Win32 by default). It should now contain a file called certificate.pem

  21. Open this certificate.pem file in a tool like notepad++. Opening it in the default Windows notepad will make it impossible to use the file as it doesn't correctly apply the linebreaks. Leave this file open while we continue navigating to the right place in pfSense.
  22. Using the menu at the top, navigate to System -> Cert Manager

  23. Click on the Certificates tab

  24. Click on the + icon at the right bottom to add a new certificate to the store

  25. Make sure the method field is set to Import an existing Certificate. Enter anything you wish to identify this certificate with within pfSense in the Descriptive name field.

    First the Private key data field at the bottom. Switch to your text editor in which you opened the certificate.pem file at step 21. At the top of the file you should see a section --BEGIN PRIVATE KEY--. Copy everything above this section until and including the first line which states --END PRIVATE KEY-- into the Private key data field in pfSense (marked in gray on the screenshot below).


    Now for the Certificate data field, start copying from the first line after the --END PRIVATE KEY-- line until and including the first line that reads --END CERTIFICATE--. Copy this into the Certificate data field in pfSense.


    The rest of the contents of the certificate.pem file can be ignored. The pfSense page should now look similar to the following screenshot. Press Save to complete the import process.


You can now use this certificate in pfSense for i.e. access to the admin webUI, the Captive Portal login page or any of the other parts that make use of certificates.

The OpenSSL tool can now be uninstalled again from your machine using the conventional Uninstall a program option in Control Panel of Windows.

Last but not least, in order for your clients to be able to connect to your pfSense wifi portal without receiving an ugly "there's something wrong with your SSL certificate" warning in their browser, make sure to add all the Certificate Revocation List (CRL) urls registered in your certificate to the Allowed Hostnames section of the pfSense captive portal as shown below. This makes it possible for the browser on the connecting client device to connect to the IP addresses to which these hostnames resolve without being blocked by the pfSense captive portal login page to verify if the used SSL certificate is still valid. Once it can verify this, and the certificate is still valid, the client will not see the warning notification in its browser anymore when connecting.


If you are unfamiliar with how to retrieve the correct CRL and OCSP paths from your certificate, just browse to your site secured with the certificate (i.e. the captive portal) and have your internet browser display the certificate details. The below screenshot shows a sample on how to do this using FireFox, but it can be done with any browser in somewhat similar steps.


If you want to import the root authority certificate as well to pfSense, use the following openssl command to conver the .cer of your root CA to its .pem equivallent:

openssl x509 -inform der -in certificate.cer -out certificate.pem

​Open this certificate.pem file in notepad++ again, copy its contents into the Certificate data field. There is no private key that you need to copy over this time.