Important

Netgate is offering COVID-19 aid for pfSense software users, learn more.

Obtaining a Certificate

These instructions cover the general process of obtaining a certificate. Specific settings will vary by deployment, and each section below links to the settings for each area.

Generate an Account Key

Before a certificate can be created by the firewall, the firewall must first obtain an account key. This key is typically unique for each server, but can be shared.

For users unfamiliar with Let’s Encrypt, the first key should be for the staging system which has no rate limits but is not valid for public use. Once a certificate is successfully issued by the staging system, create an account key for the production system and then issue the certificate again using that key.

To create and register an account key:

  • Navigate to Services > ACME Certificates, Account Keys tab

  • Click fa-plus Add

  • Fill in the info as described in Account Key Settings

  • Click fa-plus Create new account key

  • Click fa-key Register ACME account key

  • Click Save

Create a certificate

The next step is to create a certificate entry.

Configure General Settings

The last step is to enable at least the Cron Entry to ensure that the ACME package will automatically renew certificates before they expire. See General Settings for detailed descriptions of the options.

  • Navigate to Services > ACME Certificates, Certificates tab

  • Check Cron Entry

  • Check Write Certificates (optional)

  • Click Save