pfsense_ssl_install

Installing SSL Certificats in PfSense

Summary:

✅ Generate a new private key + CSR inside pfSense ✅ Upload the CSR to Namecheap (Sectigo DV SSL) ✅ Import the resulting cert back into pfSense and assign it to HAProxy (or WebGUI)

✅ STEP 1 — Generate a new private key + CSR in pfSense

1. Log in to pfSense

2. Go to:

 System → Cert. Manager → Certificates

3. Click: + Add / Sign

4. Choose:

 Method: Create a Certificate Signing Request (CSR)

Fill the form like this:

Field —————→ Value
Descriptive name —————→ e.g. pilotreg-ssl-2025
Key Type —————→ RSA (4096 bits) ← recommended
Digest Algorithm —————→ SHA256
Common Name. —————→ *.yourdomain.com (or your exact domain)
Country / State / City —————→ Fill as required
Email / Org —————→ Optional unless required

👉 For wildcard certificates, use *.yourdomain.com

Click Save.

You will now see the CSR pending in the list.

5. Click the Download or View CSR icon next to it(looks like a magnifying glass)

Copy the CSR — it will look like:

—–BEGIN CERTIFICATE REQUEST—–
MIIC4jCCAc…
—–END CERTIFICATE REQUEST—–

✅ STEP 2 — Upload CSR to Namecheap

1. Log in to Namecheap
2. Go to Products → SSL Certificates
3. Next to your certificate click → Activate
4. Paste the CSR you copied from pfSense
5. Choose Web Server type: Other / Apache / Nginx (any works)
6. Choose validation method (Email / DNS CNAME / HTTP)

⚠️ I recommend DNS CNAME validation → fastest & easiest.

Namecheap will then submit it to Sectigo.

✅ STEP 3 — Once Namecheap issues the certificate

You will receive a ZIP file containing:

Your domain certificate (yourdomain.crt)
ntermediate CA (SectigoRSADomainValidationSecureServerCA.crt)
Root certificate (not needed for pfSense)

Unzip it.

✅ STEP 4 — Import certificate into pfSense
1. Go to: System → Cert. Manager → Certificates
2. Edit the previously generated CSR entry
3. Choose: Import certificate
4. Paste:

Field —————→ Paste
Certificate data —————→ Contents of yourdomain.crt
Certificate Chain —————→ Paste intermediate cert(s) from the ZIP

Example formatting:

—–BEGIN CERTIFICATE—–
(your domain certificate)
—–END CERTIFICATE—–

—–BEGIN CERTIFICATE—–
(intermediate certificate)
—–END CERTIFICATE—–

⚠️ Do NOT paste the private key, pfSense already has it stored since it created the CSR.

Click Save.
✅ STEP 5 — Configure pfSense / HAProxy to use the certificate

If used for the WebGUI:
System → Advanced → Admin Access → SSL Certificate → select new cert
If used in HAProxy:
Services → HAProxy → SSL Offloading (frontend)
Add → Select your new certificate

Click Apply and reload.

🚨 FINAL CHECK
go to:

 https://ssllabs.com/ssltest

and enter yourdomain.com to verify the chain.
That's it!

Your ArtIT Team

BACK