ACME package

The ACME package on pfSense software enables users to obtain certificates from providers who run servers compatible with the Automatic Certificate Management Environment (ACME) protocol.

The most common ACME service is provided by Let’s Encrypt. Let’s Encrypt is an open, free, and completely automated Certificate Authority from the non-profit Internet Security Research Group (ISRG). The goal of Let’s Encrypt is to encrypt the web by removing the cost barrier and some of the technical barriers that discourage server administrators and organizations from obtaining certificates for use on Internet servers, primarily web servers.

Most browsers trust certificates from Let’s Encrypt and some other common ACME providers. These certificates can be used for web servers (HTTPS), SMTP servers, IMAP/POP3 servers, and other similar roles which utilize the same type of certificates. By using a certificate from a trusted provider such as Let’s Encrypt for a web server, including a firewall running pfSense software, client browsers and other software will trust the certificate and show a green check mark, padlock, or similar indication. The connection will be encrypted without the need for a client to manually trust an invalid or self-signed certificate.

The ACME Package for pfSense® software interfaces with ACME servers run by Let’s Encrypt and other similar providers to handle the certificate generation, validation, and renewal processes.

Note

Though the ACME package supports other providers, the information here is primarily focused around the Let’s Encrypt service as it is the most common. Other ACME servers may operate similarly, but they may not support the same features provided by Let’s Encrypt or be trusted as widely. Check with the provider and test thoroughly before using any certificate in a production role.

ACME providers such as Let’s Encrypt perform validation before issuing certificates, and this validation ensures that the system requesting the certificate has authority over the hostname or domain in question. This validation can be performed in a number of ways, such as by proving ownership of the domain’s DNS records or publishing a file on a web server for a hostname. Check with the ACME provider for specific information on which validation methods they support.

ACME providers generally limit certificate validity to a short time frame, so they must be renewed periodically. For example, certificates signed by Let’s Encrypt are valid for 90 days. The ACME package automates the renewal process by using a scheduled job to check once per day for certificates nearing expiration.