Important

Netgate is offering COVID-19 aid for pfSense software users, learn more.

Certificate Settings

Certificate entries have the following settings:

Name

A short name for the certificate

Description

A longer string describing the certificate

Status

Whether or not this entry is active

Active

This entry will be processed manually and by the Cron job (General Settings)

Disabled

This entry will be ignored

Acme Account

The account key ACME will use when requesting the certificate (see Generate an Account Key)

Private Key

The key length of the private key for this certificate. May be either RSA or ECDSA in several pre-defined sizes. Select Custom to manually enter a private key generated elsewhere

2048-bit RSA is an acceptable default choice, but larger keys are more secure

OCSP Must Staple

When set, ACME will configure the certificate request for OCSP Stapling

Warning

Do not enable this option unless all consumers of the certificate support OCSP Stapling.

Domain SAN List

A list of all domain names which will be included in this certificate as Subject Alternative Name (SAN) entries.

Note

A certificate can contain up to 100 SAN entries, and they can use the same or different update methods. Each SAN must be individually validated by Let’s Encrypt before a certificate will be issued.

Mode

Whether or not this SAN is active in the certificate

Domain Name

The domain name for a SAN entry in this certificate (e.g. www.example.com)

Method

The method used by ACME to validate ownership of this domain. Method settings are described in (Validation Methods)

Click fa-plus Add for additional SAN entries

DNS Providers also have some common settings which appear for all types:

DNS Alias

An alternative domain name used by the validation process. Instead of updating the DNS record for Domain Name directly, the package uses this domain name is used instead. See DNS Alias Mode for details.

DNS Alias Mode

When set, controls whether or not the DNS alias mode used is Challenge Alias (Unchecked, Default) or Domain Alias (Checked). See DNS Alias Mode for details.

DNS-Sleep

The amount of time the ACME validation process will wait after making DNS changes before attempting to validate. Some DNS services take a few minutes to propagate entries after making backend changes.

The default settings are typically sufficient, but slower providers may require a longer sleep time.

Actions List

Commands to run after the package renews a certificate.

Mode

Whether or not this action is active

Command

Full path to command and arguments, service name, or name of script

Method

Defines how the Command is executed by the package

Shell Command

The Command is a full path to a shell command and its arguments

PHP Command Script

The Command value is run as PHP code

Restart Local Service

The name of a local service to restart

Restart Remote Service

The name of a remote service to restart via XMLRPC. This utilizes the system XMLRPC sync configuration

The GUI includes several examples of common actions

Certificate Renewal After

When the package will attempt a renewal for the certificate. Default is 60 days (2 months). Certificates are valid for a maximum of 90 days.