**Installing SSL Certificats in PfSense** Summary: ✅ Generate a new private key + CSR inside pfSense ✅ Upload the CSR to Namecheap (Sectigo DV SSL) ✅ Import the resulting cert back into pfSense and assign it to HAProxy (or WebGUI) ✅ **STEP 1** — Generate a new private key + CSR in pfSense 1. Log in to pfSense 2. Go to: System → Cert. Manager → Certificates 3. Click: + Add / Sign 4. Choose: Method: Create a Certificate Signing Request (CSR) Fill the form like this: **Field** ----------------> **Value**\\ //Descriptive name ----------------> e.g. pilotreg-ssl-2025\\ Key Type ----------------> RSA (4096 bits) ← recommended\\ Digest Algorithm ----------------> SHA256\\ Common Name. ----------------> *.yourdomain.com (or your exact domain)\\ Country / State / City ----------------> Fill as required\\ Email / Org ----------------> Optional unless required\\ // 👉 For wildcard certificates, use *.yourdomain.com Click Save. You will now see the CSR pending in the list. 5. Click the Download or View CSR icon next to it(looks like a magnifying glass) Copy the CSR — it will look like: -----BEGIN CERTIFICATE REQUEST----- \\ MIIC4jCCAc...\\ -----END CERTIFICATE REQUEST-----\\ ✅ **STEP 2** — Upload CSR to Namecheap 1. Log in to Namecheap\\ 2. Go to Products → SSL Certificates\\ 3. Next to your certificate click → Activate\\ 4. Paste the CSR you copied from pfSense\\ 5. Choose Web Server type: Other / Apache / Nginx (any works)\\ 6. Choose validation method (Email / DNS CNAME / HTTP)\\ \\ ⚠️ I recommend DNS CNAME validation → fastest & easiest.\\ \\ Namecheap will then submit it to Sectigo.\\ ✅ **STEP 3** — Once Namecheap issues the certificate\\ You will receive a ZIP file containing:\\ * Your domain certificate (yourdomain.crt)\\ * ntermediate CA (SectigoRSADomainValidationSecureServerCA.crt)\\ * Root certificate (not needed for pfSense)\\ Unzip it.\\ ✅ **STEP 4** — Import certificate into pfSense\\ 1. Go to: System → Cert. Manager → Certificates\\ 2. Edit the previously generated CSR entry\\ 3. Choose: Import certificate\\ 4. Paste:\\ Field ----------------> Paste\\ Certificate data ----------------> Contents of yourdomain.crt\\ Certificate Chain ----------------> Paste intermediate cert(s) from the ZIP\\ Example formatting:\\ -----BEGIN CERTIFICATE-----\\ (your domain certificate)\\ -----END CERTIFICATE-----\\ \\ -----BEGIN CERTIFICATE-----\\ (intermediate certificate)\\ -----END CERTIFICATE-----\\ \\ ⚠️ Do NOT paste the private key, pfSense already has it stored since it created the CSR. Click Save. \\ ✅ **STEP 5** — Configure pfSense / HAProxy to use the certificate\\ If used for the WebGUI:\\ System → Advanced → Admin Access → SSL Certificate → select new cert\\ If used in HAProxy:\\ Services → HAProxy → SSL Offloading (frontend)\\ Add → Select your new certificate\\ \\ Click Apply and reload. \\ \\ 🚨 **FINAL CHECK** \\ go to:\\ https://ssllabs.com/ssltest and enter yourdomain.com to verify the chain. \\ That's it! \\ \\ **Your ArtIT Team** \\ \\ **[[pfsense|BACK]]**