Enable SSL for pfSense 2.4: Fast & Easy

If you are new to pfSense and you have just set up a new Box, you won’t have a secure connection to it by default. You probably remember connecting to your pfSense for the first time, that you had to add a security exception. We are going to fix this today and I will show you how to Enable SSL for pfSense 2.4. We want to get rid of this red warning in your browser and make sure we Enable HTTPS for pfSense 2.4.

But before we start, we are going to make sure we are still able to have access to our Firewall in case anything goes wrong and you can’t access the Web Interface anymore. There can be problems if you use older Browser Versions than the ones used in this Tutorial, so we want to make sure you won’t lock yourself out.

The User Gert pointed that out in the comments, thank you for this, Gert.

🚀 This tutorial has been updated in June 2021.

⚠️ If you would like to learn more about pfSense, I highly recommend you check out my pfSense Fundamentals Bootcamp over at Udemy. This is the most up-to-date as well as the highest-rated pfSense course on the internet.

Table of Contents

Step 1 – Making sure we have a Backdoor in Place

Log in to your pfSense Firewall first. We will create a few security Backdoors in case we get locked out. Further Documentation can be found here.

Creating a pfSense Backup

The first thing we are going to do is to create a Backup of your working Configuration. Therefore, navigate to Diagnostics / Backup & Restore. Select as in the Screenshot below and Download your configuration as XML.

Enable SSL for pfSense

Enabling SSH on pfSense

Now we are going to enable SSH. This allows us to access our Firewall via something like PuTTy in case we can’t access the Web GUI anymore. Navigate to System / Advanced and scroll down until you find Secure Shell.

Tick the box to enable SSH and leave the SSH port on its Default of 22 or change as desired. You can log in to your pfSense via SSH using your Admin Password. Optionally, you can choose to create a Public Key. After we have finished with our Enable SSL for pfSense 2.4 settings, you can choose to disable SSH again if you wish to, although for Home Usage it should be fine to leave it on.

Enable SSL for pfSense

Enabling Serial Communications

In case your pfSense Device has a Serial Port, you could also enable this Port. You find this Option right underneath of the Secure Shell Field. Just tick the Box Serial Terminal to enable it, so you have another way to access your pfSense in case something happens. I recommend leaving this setting enabled anyway, for home use.

Enable SSL for pfSense

That should give us enough options to restore our previous configuration in case you experience any problems. Let’s get started with the actual Enable SSL for pfSense Tutorial then, shall we?

Step 2 – Creating a new Certificate Authority and Certificate for SSL

First, we are going to create a new SSL Certificate Authority on pfSense. Navigate to System / Certificate Manager / CAs and click on Add.

Enable SSL for pfSense 2.4

Enter everything as in the Screenshot Below. Add Additional Details if you want to, like your Location.

Enable SSL for pfSense 2.4

Creating a Sub Certificate

Next, we need to create an Intermediate Certificate Authority. So on System / Certificate Manager /CAs click on Add once again.

Enable SSL for pfSense

Creating a new Certificate

Now click on the Certificates Tab at System / Certificate Manager. Click on +Add/Sign to add a new Certificate. Fill everything out as in the Screenshot below. Make sure to put your pfSense Fully Qualified Domain Name in the Fields on Step 2 and 6.

You can see your pfSense FQDN on System / General Setup under System. Your FQDN is the combination of Hostname and Domain separated by a dot. So if your Hostname is pfsense1 and your Domain is Local Domain, your FQDN is pfsense1.localdomain. This is what you want to put in there.

enable ssl on pfsense 2.4

Make sure you put the IP Address of your pfSense Firewall at Step 2 and the FQDN of your Firewall at Step 4. Also, make sure you have Server Certificate selected at Step 1.

Enable SSL for pfSense 2.4

Exporting the Certificate Authorities

Navigate back to System / CAs. This is important. Click on Export on both CAs.

Enable SSL pfSense 2.4

Now there are 2 ways on how to implement those Certificates. It depends on which browser you use.

For Chrome, we need to Import both Certificates to the Windows Certificate Root, for Firefox we need to Import the Root-CA only directly into Firefox. I just hope and assume that no one of my readers is using the abomination that is Internet Explorer or even Edge.

Let us start with Chrome.

Step 3 – Google Chrome

For Google Chrome, we need to Import the Root-CA to our Windows 10 Certificate Root. Open your Windows Settings and Search for “Certificate”. Open the Manage Computer Certificate settings.

Enable SSL pfSense

In there, navigate to Trusted Root Certification Authorities / Certificates and right-click somewhere on the right side on an empty space, and select All Tasks -> Import. Select the Root CA you downloaded from your Firewall.

Enable HTTPS pfSense

Select Place all certificates in the following Store: Trusted Root Certification Authorities. Click Next and Finish.

Enable SSL for pfSense

Now navigate to Intermediate Certification Authority / Certificates and repeat the step above, but this time importing the SUB-CA.

If you only use Chrome, continue with Step 5.

Step 4- Firefox

On Firefox, we need to manually import the Root-CA only. To do that, open Firefox and head to Options / Privacy & Security / View Certificates.

Enable SSL pfSense

Click on Authorities and Import the pfSense Certificate from your Downloads folder.  Check both Checkmarks.

Enable SSL pfSense

Continue with Step 5 for the last thing we need to do to enable SSL for pfSense 2.4.

Step 5 – Enable SSL for pfSense 2.4

Log back into your pfSense Firewall and Navigate to System / Advanced / Admin Access.

Make sure HTTPS is selected as Protocol and now change the SSL Certificate to the one you have created. Scroll down and click on Save. Now, when you restart your Web Browser, you should see a Secure Connection to pfSense when accessing it next time..

Enable SSL for pfSense 2.4

Step 6 – Wrapping Up

Because you have specified Alternative Names in the Certificate, you will be able to securely access your firewall with either the FQDN or the IP Address. See the examples below.

Firefox via IP

Enable SSL for pfSense 2.4

Firefox via FQDN

Enable SSL for pfSense 2.4

Chrome via IP

Enable SSL for pfSense 2.4

Chrome via FQDN

Enable SSL for pfSense 2.4

As you can see, it works. This ensures that you have a secure connection to your pfSense Firewall. Don’t miss out on other pfSense Tutorials and also check my YouTube Channel for a lot of pfSense Video Tutorials!

The post Enable SSL for pfSense 2.4: Fast & Easy appeared first on CEOS3C.

Deixe uma resposta