Knowledge Base
How to Generate a Certificate Signing Request (CSR) in pfSense?
Overview
This guide provides the step‑by‑step process for generating a Certificate Signing Request (CSR) in pfSense using the built‑in Certificate Manager. Creating a CSR allows you to request a signed SSL/TLS certificate from an external Certificate Authority (CA) for securing pfSense services such as the WebGUI.
Platform:
Steps below are based on version 2.8.1-RELEASE (amd64)
Prerequisites
Before you begin, ensure you have the following:
-
Administrator access to the pfSense WebGUI
-
A running pfSense firewall (version 2.8.1‑RELEASE or later)
-
A fully qualified domain name (FQDN) or hostname for which the certificate will be issued
-
Access to an external Certificate Authority (CA) to submit the CSR
Step-by-Step: Generate a CSR in pfSense
Here’s a clear, accurate, step-by-step guide on how to generate a CSR (Certificate Signing Request) in pfSense.
pfSense allows you to generate a CSR directly in the Cert Manager section for external signing.
A CSR is required when requesting an SSL certificate from a Certificate Authority (CA).
Step 1: Log in to the pfSense WebGUI
Sign in to the pfSense WebGUI using an administrator account with permission to manage system certificates.
Step 2: Navigate to the Certificate Manager
From the top navigation menu, go to:
System → Certificates
This section is used to create, manage, and export certificates and CSRs in pfSense.
Step 3: Add a New Certificate Entry
Select Certificates > Click the + Add/Sign button at the bottom right.
In the Method dropdown, choose: Create a Certificate Signing Request
This tells pfSense to generate:
-
A private key
-
A CSR (public portion)
Step 4: Fill Out the CSR Information
You will be prompted for standard certificate fields. These typically include:
-
Descriptive name – Anything meaningful (e.g., pfSense-HTTPS)
-
Key length – Normally 2048 or 4096 bits
-
Digest algorithm – e.g., SHA256
-
Common Name (CN) – The hostname or FQDN you'll access pfSense with
(For example: fw.mydomain.com)
-
Optional details:
-
Country
-
State
-
City
-
Organization
-
Email
-
Subject Alternative Names (SANs)
pfSense identifies these as standard certificate properties when creating or managing certificates.
Step 5: Save the CSR
Click Save.
pfSense now generates:
-
A CSR (to send to Sectigo)
-
A private key (stored locally in pfSense)
Step 6: Export / Copy the CSR
-
In System → Certificates → Certificates, locate the entry you created.
-
Click the Export CSR icon.
This exports the CSR text, which you submit to Sectigo.
Step 7: Submit the CSR to Sectigo
Take the exported CSR and paste it into your Sectigo’s SSL request form.
Once the Sectigo signs your certificate, they’ll send you:
-
Your primary certificate
-
Sectigo root & intermediate certificates (often as a bundle)
These will later be imported into pfSense.
You’re Done!
You’ve successfully generated a CSR in pfSense.
Verification
To confirm that the CSR generation was successful:
Verify that the certificate entry appears in System → Certificates
Ensure the Export CSR option is available for the entry
Confirm the CSR text begins with -----BEGIN CERTIFICATE REQUEST-----
Once the CSR is accepted by your Certificate Authority and a signed certificate is returned, the certificate can be imported into pfSense for use.
Related Articles:
Tags:
Need help?
Need help making a purchase? Contact us today to get your certificate issued right away.
Live chat
Click the button below or click "Chat with an Expert" to start chatting with us now!
