How to use a Windows PFX certificate with pfSense

Thanks to: https://knowledge.zomers.eu

Windows and Unix/Linux are still two different worlds. Also when it comes to certificates. This article will explain the steps needed to utilize a Windows certificate on a pfSense server. Vital is to realize you will need to have access to the certificate with the private key included. Furthermore the certificate must be created with the allow private key to be exported option on. Otherwise it is not possible to export your certificate to pfSense.
  1. First you need to create a PFX export of the certificate you wish to use on pfSense. If you already have this PFX, skip right to step 17. If you don't have a PFX yet, there are many ways to export existing certificates on Windows to a PFX. I will describe one common method for this in the next few steps.
  2. On the server which contains the certificate you wish to use on pfSense, boot up a command prompt console and type mmc followed by pressing enter.

    pfSense-ExportPfxToPfSense-LaunchMMC.png
  3. Through the File menu at the top, go to Add/Remove Snap-In...

    pfSense-ExportPfxToPfSense-MMC-FileAddSnapin.png
  4. Select Certificates in the list at the left and click on Add in the center of the dialog

    pfSense-ExportPfxToPfSense-MMC-AddCertificates.png
  5. Select the Computer account and click Next

    pfSense-ExportPfxToPfSense-MMC-CertificatesComputerAccount.png
  6. Leave Local computer selected and click Finish

    pfSense-ExportPfxToPfSense-MMC-CertificatesLocalComputer.png
  7. Note that the Certificates snap-in for the local computer has now been added to the list. Click OK at the bottom to continue.

    pfSense-ExportPfxToPfSense-MMC-CertificatesAdded.png
  8. Expand the tree at the left and go to Certificates (Local Computer) \ Personal \ Certificates. The certificates installed on that server will now be shown. Right click on the certificate you wish to transfer to pfSense, go to All Taks and click on Export.

    pfSense-ExportPfxToPfSense-MMC-ExportCertificate.png
  9. On the first page of the Certificate Export Wizard, simply click Next

    pfSense-ExportPfxToPfSense-MMC-ExportCertificateStep1.png
  10. On the next page, select Yes, export the private key. If this option is not available, it means that on this server you don't have the certificate installed with the private key included or it is installed, but with the option do not allow the private key to be exported enabled. Either way, you need to get your hands on the certificate with the private key included and also with the option which allows the private key to be exported enabled before you can continue.

    Click Next at the bottom.

    pfSense-ExportPfxToPfSense-MMC-ExportCertificateStep2.png
  11. Make sure export to PFX is selected and only the box in front of Include all certificates in the certification path if possible is checked and click Next at the bottom.

    pfSense-ExportPfxToPfSense-MMC-ExportCertificateStep3.png
  12. Enter a password to protect your certificate with. This screenshot is taken from a Windows Server 2012 machine. On previous Windows versions it looks slightly different, but the idea is the same.
    Click Next after having entered a password.

    pfSense-ExportPfxToPfSense-MMC-ExportCertificateStep4.png
  13. Enter the path where you want to store your certificate to and click Next to continue.

    pfSense-ExportPfxToPfSense-MMC-ExportCertificateStep5.png
  14. Click Finish to start the certificate export process.

    pfSense-ExportPfxToPfSense-MMC-ExportCertificateStep6.png
  15. After a few seconds, it should show a confirmation box notifying you that the certificate was successfuly exported. Dismiss the dialog by clicking OK.

    pfSense-ExportPfxToPfSense-MMC-ExportCertificateStep7.png
  16. You should now be able to find the PFX with the certificate on the location you specified at step 13. Copy it to your local machine.

    pfSense-ExportPfxToPfSense-MMC-PFX.png
  17. In order to transform the PFX certificate to the X. 509 PEM format used by pfSense, we're going to use the free open source OpenSSL application. The Win32 OpenSSL Light edition will be sufficient for this purpose. You can download it at the OpenSSL website or download it from my mirror (2 MB).

    Install the application by next-next-finish-ing through the installer process.
  18. Copy the PFX with the certificate into the OpenSSL installation path which is C:\OpenSSL-Win32 by default.
  19. Open a command prompt console and navigate to the BIN subfolder in the OpenSSL installation directory (C:\OpenSSL-Win32\bin by default). Once there, execute the following command:

    openssl pkcs12 -in <path to your PFX> -out ..\certificate.pem -nodes

    Enter the certificate password you assigned at step 12 when asked for the import password.

    pfSense-ExportPfxToPfSense-RunOpenSSLTool.png
  20. Check the OpenSSL installation folder (C:\OpenSSL-Win32 by default). It should now contain a file called certificate.pem

    pfSense-ExportPfxToPfSense-PEMCertificate.png
  21. Open this certificate.pem file in a tool like notepad++. Opening it in the default Windows notepad will make it impossible to use the file as it doesn't correctly apply the linebreaks. Leave this file open while we continue navigating to the right place in pfSense.
  22. Using the menu at the top, navigate to System -> Cert Manager

    pfSense-ExportPfxToPfSense-pfSenseCertManagerMenu.png
  23. Click on the Certificates tab

    pfSense-ExportPfxToPfSense-pfSenseCertManagerCertificatesTab.png
  24. Click on the + icon at the right bottom to add a new certificate to the store

    pfSense-ExportPfxToPfSense-pfSenseCertManagerCertificatesTabAddCert.png
  25. Make sure the method field is set to Import an existing Certificate. Enter anything you wish to identify this certificate with within pfSense in the Descriptive name field.

    First the Private key data field at the bottom. Switch to your text editor in which you opened the certificate.pem file at step 21. At the top of the file you should see a section --BEGIN PRIVATE KEY--. Copy everything above this section until and including the first line which states --END PRIVATE KEY-- into thePrivate key data field in pfSense (marked in gray on the screenshot below).

    pfSense-ExportPfxToPfSense-pfSensePrivateKey.png

    Now for the Certificate data field, start copying from the first line after the --END PRIVATE KEY-- line until and including the first line that reads --END CERTIFICATE--. Copy this into the Certificate data field in pfSense.

    pfSense-ExportPfxToPfSense-pfSensePublicKey.png

    The rest of the contents of the certificate.pem file can be ignored. The pfSense page should now look similar to the following screenshot. Press Save to complete the import process.

    pfSense-ExportPfxToPfSense-pfSenseCertManagerImportCertificate.png
You can now use this certificate in pfSense for i.e. access to the admin webUI, the Captive Portal login page or any of the other parts that make use of certificates.
The OpenSSL tool can now be uninstalled again from your machine using the conventional Uninstall a program option in Control Panel of Windows.
Last but not least, in order for your clients to be able to connect to your pfSense wifi portal without receiving an ugly "there's something wrong with your SSL certificate" warning in their browser, make sure to add all the Certificate Revocation List (CRL) urls registered in your certificate to the Allowed Hostnames section of the pfSense captive portal as shown below. This makes it possible for the browser on the connecting client device to connect to the IP addresses to which these hostnames resolve without being blocked by the pfSense captive portal login page to verify if the used SSL certificate is still valid. Once it can verify this, and the certificate is still valid, the client will not see the warning notification in its browser anymore when connecting.
pfSense-CaptivePortal-AllowedHostNames.png 
If you are unfamiliar with how to retrieve the correct CRL and OCSP paths from your certificate, just browse to your site secured with the certificate (i.e. the captive portal) and have your internet browser display the certificate details. The below screenshot shows a sample on how to do this using FireFox, but it can be done with any browser in somewhat similar steps.
pfSense-CaptivePortal-SSL-CRLOCSP.png

Comentarios

Publicar un comentario

Dime si la información de este blog te sirvio.

Entradas populares de este blog

Guía de herramientas básicas para estudiantes: 31 apps y webs imprescindibles para ayudarte con los estudios

Imagen
  Te traemos una guía con   31 aplicaciones y herramientas web para ayudarte como estudiante , una colección muy variada para sacar provecho en diferentes ámbitos en los que puedas necesitarlo. Nos hemos dejado fuera el ámbito educativo para los más jóvenes, recursos que tenemos en   esta otra guía , y nos hemos centrado en estudiantes más adultos. Hemos decidido centrarnos en herramientas prácticas, dejando fuera las plataformas para cursos online, tanto  las más conocidas  como  otras menos conocidas . Lo que hemos preferido buscar son recursos que puedas usar en tu día a día, como gestores de fuentes y citaciones, herramientas para diagramas, para intercambiar apuntes o para crear diferentes contenidos. Y lo que decimos siempre en Xataka Basics hoy cobra más sentido que nunca. Nosotros te traemos 31 herramientas, pero te invitamos a  compartir tus propuestas en la sección de comentarios  para que el resto de usuarios también pueda beneficiarse de los conocimientos de nuestros xatake
Leer más

Comando FOR para archivos BAT

Gracias a: http://profesoremiliobarco.blogspot.com/ El comando FOR sirve para ejecutar bucles de instrucciones, y es una instrucción que se encuentra disponible en todos los lenguajes de programación. Un bucle son varias repeticiones de algunas instrucciones. Este comando suele ser el más complicado de entender para las personas que empiezan a escribir archivos BAT complejos. Aqui intentaré explicar todas las opciones y usos del comando FOR, así como intentar resolver las dudas que los usuarios de Internet me puedan plantear. La sintaxis normal del comando FOR es: FOR %var IN (lista) DO (      comando     comando      ... )  Pero si lo vamos a usar dentro de un archivo BAT será así: FOR %%var IN (lista) DO (      comando     comando      ... ) Observa que la variable "var" ahora va precedida por dos simbolos de "%". Además, si este for está dentro de un archivo BAT, el nombre de la variable debe ser UNA SOLA LETRA (p.ej: %%n, %%i,  %%j , etc
Leer más

Policy Based Routing example: route one subnet via ISP A and another via ISP B

Imagen
thanks to: http://glennmatthys.wordpress.com/ Goal Setup a network with a Cisco router that routes one local subnet via internet connection A and another local subnet via internet connection B. In this example we’ll use one LAN side, which has two subnets: 192.168.1.0/24 192.168.2.0/24 We want traffic destined for the internet, originating from the 192.168.1.0/24 network, to be sent to ISP A, which is connected to FastEthernet0 We want traffic destined for the internet, originating from the 192.168.2.0/24 network, to be sent to ISP B, which is connected to FastEthernet1 Both internet connections get their IP address via DHCP. Prerequisites For this  configuration you’ll need: One dual WAN router, such as a 1811 Two internet connections (or simulated ones) 2 nodes, one for the 192.168.1.0/24 subnet and one for the 192.168.2.0/24 subnet. These can be two different computers, or two virtual machines, etc… ClientA, Windows 7, will connect to 192.168.1.0/24 and sur
Leer más