Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


Generate a certificate for pfsense

To generate a CSR, to to System then Cert Manager. Go to the tab Certificates and click the + icon at the bottom right of the list.

The certificate creation should now be open. Choose the Create a certificate signing request method. Choose a name for your certificate, nmake sure the key size is at least 2048 bits, and that the Digest Algorithm is SHA256

It is mandatory that the Certificate type be Server Certificate. You now only have to fill the fields:

  • C: Country:
    indicate FR if your company is in France, BE for Belgium, etc, in uppercase preferably.

  • ST: State:
    in France indicate the name of the department where your company headquarters are based (not the number).

  • L: Location / City:
    indicate the city where your company headquarters are based.

  • O: Organisation / Company Name:
    indicate the corporate name of your company (no trade name or acronym), in uppercase preferably.

  • OU: Organisational unit / Department / Branch:
    This field should not be asked by pfsense. If that is the case, we recommend not to fill in this field or to enter a generic term such as "IT Department".
  • email Address:
    This field is not required for you certificate issuance. Leave it empty or fill in any address.
  • CN: Common name / domain name / server name / FQDN:
    Indicate here your SSL server name, such as "secure.company.com", "www.my-domain.com" or "www.product.com". No IP address (learn more). No spaces nor blank characters.

    In the case you want to order a multiple-domains / SANs certificate, just enter the main address in the CSR. This one cannot be change during your certificate lifetime. Enter the other address to secure in the order form (those ones can be modified via reissuance).

    N.B.: Using certificates with internal names (xxx.local, yyy.priv, machine_name) or a domain that is not registered or controlled by IANA is disapproved by the CA/Browsers Forum and won't be accepted anymore by November 2015 (learn more).

You now click Save and retrieve your CSR.

See also