Netgate is offering COVID-19 aid for pfSense software users, learn more.
Certificate entries have the following settings:
A short name for the certificate
A longer string describing the certificate
Whether or not this entry is active
This entry will be processed manually and by the Cron job (General Settings)
This entry will be ignored
- Acme Account
The account key ACME will use when requesting the certificate (see Generate an Account Key)
- Private Key
The key length of the private key for this certificate. May be either RSA or ECDSA in several pre-defined sizes. Select Custom to manually enter a private key generated elsewhere
2048-bit RSA is an acceptable default choice, but larger keys are more secure
- OCSP Must Staple
When set, ACME will configure the certificate request for OCSP Stapling
Do not enable this option unless all consumers of the certificate support OCSP Stapling.
- Domain SAN List
A list of all domain names which will be included in this certificate as Subject Alternative Name (SAN) entries.
A certificate can contain up to 100 SAN entries, and they can use the same or different update methods. Each SAN must be individually validated by Let’s Encrypt before a certificate will be issued.
Whether or not this SAN is active in the certificate
- Domain Name
The domain name for a SAN entry in this certificate (e.g.
The method used by ACME to validate ownership of this domain. Method settings are described in (Validation Methods)
Click Add for additional SAN entries
DNS Providers also have some common settings which appear for all types:
- DNS Alias
An alternative domain name used by the validation process. Instead of updating the DNS record for Domain Name directly, the package uses this domain name is used instead. See DNS Alias Mode for details.
- DNS Alias Mode
When set, controls whether or not the DNS alias mode used is Challenge Alias (Unchecked, Default) or Domain Alias (Checked). See DNS Alias Mode for details.
The amount of time the ACME validation process will wait after making DNS changes before attempting to validate. Some DNS services take a few minutes to propagate entries after making backend changes.
The default settings are typically sufficient, but slower providers may require a longer sleep time.
- Actions List
Commands to run after the package renews a certificate.
Whether or not this action is active
Full path to command and arguments, service name, or name of script
Defines how the Command is executed by the package
- Shell Command
The Command is a full path to a shell command and its arguments
- PHP Command Script
The Command value is run as PHP code
- Restart Local Service
The name of a local service to restart
- Restart Remote Service
The name of a remote service to restart via XMLRPC. This utilizes the system XMLRPC sync configuration
The GUI includes several examples of common actions
- Certificate Renewal After
When the package will attempt a renewal for the certificate. Default is
60days (2 months). Certificates are valid for a maximum of