Differences

This shows you the differences between two versions of the page.

--- pfsense_ssl_install [2025/11/21 12:15] – admin
+++ pfsense_ssl_install [2025/11/21 12:38] (current) – admin
@@ Line 9: / Line 9: @@
-✅ STEP 1 — Generate a new private key + CSR in pfSense
+✅ **STEP 1** — Generate a new private key + CSR in pfSense
 .	Log in to pfSense
 .	Go to:
    System → Cert. Manager → Certificates
 .	Click: + Add / Sign
 .	Choose:
    Method: Create a Certificate Signing Request (CSR)
@@ Line 22: / Line 24: @@
 Fill the form like this:
-**Field**                                   **Value**
+**Field**  ---------------->  **Value**\\
-//Descriptive name                        e.g. pilotreg-ssl-2025
+//Descriptive name  ---------------->  e.g. pilotreg-ssl-2025\\
-Key Type                                RSA (4096 bits) ← recommended
+Key Type  ---------------->  RSA (4096 bits) ← recommended\\
-Digest Algorithm                        SHA256
+Digest Algorithm  ---------------->  SHA256\\
-Common Name                             *.yourdomain.com (or your exact domain)
+Common Name. ---------------->  *.yourdomain.com (or your exact domain)\\
-Country / State / City                  Fill as required
+Country / State / City  ---------------->  Fill as required\\
-Email / Org                             Optional unless required
+Email / Org  ---------------->  Optional unless required\\
 //
+👉 For wildcard certificates, use *.yourdomain.com
+Click Save.
+You will now see the CSR pending in the list.
+. Click the Download or View CSR icon next to it(looks like a magnifying glass)
+Copy the CSR — it will look like:
+-----BEGIN CERTIFICATE REQUEST----- \\
+MIIC4jCCAc...\\
+-----END CERTIFICATE REQUEST-----\\
+✅ **STEP 2** — Upload CSR to Namecheap
+.	Log in to Namecheap\\
+.	Go to Products → SSL Certificates\\
+.	Next to your certificate click → Activate\\
+.	Paste the CSR you copied from pfSense\\
+.	Choose Web Server type: Other / Apache / Nginx (any works)\\
+.	Choose validation method (Email / DNS CNAME / HTTP)\\
+\\
+⚠️ I recommend DNS CNAME validation → fastest & easiest.\\
+\\
+Namecheap will then submit it to Sectigo.\\
+✅ **STEP 3** — Once Namecheap issues the certificate\\
+You will receive a ZIP file containing:\\
+  * Your domain certificate (yourdomain.crt)\\
+  * ntermediate CA (SectigoRSADomainValidationSecureServerCA.crt)\\
+  * Root certificate (not needed for pfSense)\\
+Unzip it.\\
+✅ **STEP 4** — Import certificate into pfSense\\
+. Go to: System → Cert. Manager → Certificates\\
+. Edit the previously generated CSR entry\\
+. Choose: Import certificate\\
+. Paste:\\
+Field  ---------------->  Paste\\
+Certificate data  ---------------->  Contents of yourdomain.crt\\
+Certificate Chain  ---------------->  Paste intermediate cert(s) from the ZIP\\
+Example formatting:\\
+-----BEGIN CERTIFICATE-----\\
+(your domain certificate)\\
+-----END CERTIFICATE-----\\
+\\
+-----BEGIN CERTIFICATE-----\\
+(intermediate certificate)\\
+-----END CERTIFICATE-----\\
+\\
+⚠️ Do NOT paste the private key, pfSense already has it stored since it created the CSR.
+Click Save.
+\\
+✅ **STEP 5** — Configure pfSense / HAProxy to use the certificate\\
+If used for the WebGUI:\\
+System → Advanced → Admin Access → SSL Certificate → select new cert\\
+If used in HAProxy:\\
+Services → HAProxy → SSL Offloading (frontend)\\
+Add → Select your new certificate\\
+\\
+Click Apply and reload.
+\\
+\\
+🚨 **FINAL CHECK**
+\\
+go to:\\
+   https://ssllabs.com/ssltest
+and enter yourdomain.com to verify the chain.
+\\
+That's it!
+\\
+\\
+**Your ArtIT Team**
+\\
+\\
+**[[pfsense|BACK]]**