Netgate is offering COVID-19 aid for pfSense software users, learn more.
Obtaining a Certificate¶
Generate an Account Key¶
Before a certificate can be created by the firewall, the firewall must first obtain an account key. This key is typically unique for each server, but can be shared.
For users unfamiliar with Let’s Encrypt, the first key should be for the staging system which has no rate limits but is not valid for public use. Once a certificate is successfully issued from the staging system, create an account key for the production system and then issue the certificate again.
To create an account key:
Navigate to Services > ACME Certificates, Account Keys tab
Fill in the info:
A short name for the key
A longer bit of text describing the key
- ACME Server
Use staging for testing, production for real certificates. ACME v2 servers are required for wildcard certificates.
- E-Mail Address
An e-mail address which Let’s Encrypt will use to send certificate expiration notices if they are not renewed in a timely manner.
- Account Key
This will be filled in by the create action
Click Create new account key
Click Register acme account key
Create a certificate¶
Navigate to Services > ACME Certificates, Certificates tab
Fill in the info
A short name for the certificate
A longer bit of text describing the certificate
- Acme Account
Choose the account key made previously (see Generate an Account Key)
- Private Key
2048 is a good choice, or select Custom to manually enter a private key generated elsewhere.
- Domain SAN List
Depends on the chosen method (see Validation Methods)
A certificate can contain up to 100 SAN entries, and they can use the same or different update methods. Each SAN must be individually validated by Let’s Encrypt before a certificate will be issued.
Leave blank unless a DNS method needs more time to take effect
- Actions List
Command to run after a certificate is renewed. Depends on the purpose of the certificate.
Full path to command and arguments, service name, name of script
How the Command is executed
- Cert Renewal After
When to attempt a renewal for the certificate. Default is 60 days (2 months). Certificates are valid for 90 days.