This tutorial shows you how to install an SSL certificate on pfSense using the web GUI. You will import your certificate and its private key into the Certificate Manager, import the issuing CA chain, and then assign the certificate to the pfSense web interface (the webConfigurator).
Generate a CSR code on pfSense
A CSR (Certificate Signing Request) is a block of encoded text that carries your organization details and public key. You submit it to your Certificate Authority during the SSL application process, and the matching private key is created at the same time. You have two options:
- Generate the CSR automatically with our CSR Generator. This is the simplest route, and it lets you keep the private key on a machine you control.
- Generate the CSR inside pfSense. Go to System > Certificates, open the Certificates tab, click Add/Sign, and set Method to Create a Certificate Signing Request. Fill in the common name and the rest of the fields, then save. pfSense stores the private key for you and shows the CSR to copy into your order. For more background, see our how to generate a CSR guides.
Submit the CSR to the Certificate Authority when you place your order. Once the CA validates it and issues your certificate, continue with the installation below.
Install an SSL certificate on pfSense
After the CA validates your request, it emails you the certificate files. A typical bundle contains your server certificate, one or more intermediate certificates, and a root certificate (often delivered together as a CA bundle). Import the CA chain first so pfSense can build a complete, trusted path, then import your server certificate.
Step 1: Import the root and intermediate certificates
- In the pfSense GUI, go to System > Certificates and open the Authorities tab (labeled CAs).
- Click the Add button (the + icon) at the bottom right of the list.
- From the Method drop-down, select Import an existing Certificate Authority.
- Give it a clear Descriptive name, paste the CA certificate into the Certificate data box, and click Save.
If your CA bundle contains both an intermediate and a root certificate, import each one as a separate CA entry. Importing the full chain here is what prevents the common “incomplete certificate chain” error that breaks trust on some devices and browsers.
Step 2: Import your server certificate
How you import the server certificate depends on where you created the CSR.
If you generated the CSR on pfSense:
- Go to System > Certificates and open the Certificates tab.
- Find the pending entry that matches the CSR you created (it is marked as an external/pending request) and click the Update (edit) icon next to it.
- Paste the issued certificate into the Final Certificate data box and click Save. pfSense already holds the matching private key, so you do not paste it again.
If you generated the CSR with an external tool (for example, the SSL Dragon CSR Generator), import the certificate and its private key together:
- Go to System > Certificates, open the Certificates tab, and click the Add/Sign button at the bottom right.
- From the Method drop-down, select Import an existing Certificate.
- Enter a Descriptive name, paste your certificate into Certificate data, and paste the unencrypted private key into Private key data.
- Click Save. The new certificate now appears in the list, ready to assign to a service.
Tip: the private key must be unencrypted (no passphrase) for pfSense to accept it. If your key starts with —–BEGIN ENCRYPTED PRIVATE KEY—–, remove the passphrase before importing.
Apply the certificate to the pfSense web GUI
Importing the certificate does not activate it on its own. To secure the pfSense web interface (the webConfigurator) with your new certificate, assign it under Admin Access:
- Go to System > Advanced and open the Admin Access tab.
- Under webConfigurator, set Protocol to HTTPS (SSL/TLS).
- In the SSL/TLS Certificate drop-down, select the certificate you just imported.
- Scroll to the bottom and click Save. pfSense restarts the web GUI on the new certificate.
After the GUI restarts, reload it in your browser over https://. If you changed the port at the same time, include the new port in the address. You should now see a valid padlock with no certificate warning.
To use the same certificate elsewhere on pfSense, select it from the certificate drop-down in that service’s settings: for example HAProxy front-ends, the OpenVPN server, or the Captive Portal. Each service references the certificate you imported into the Certificate Manager, so a single import can serve multiple roles.
Test your installation
Once the certificate is live, confirm it is served correctly and that the chain is complete. If the pfSense GUI is reachable from the internet, run it through one of our SSL Checker for an instant report on the certificate, chain, and protocol support.
For an internal or LAN-only firewall, check the certificate directly from any machine that has OpenSSL installed. Replace the host and port with your firewall’s address (the GUI defaults to port 443 over HTTPS):
echo | openssl s_client -connect 192.168.1.1:443 -servername firewall.yourdomain.com 2>/dev/null | openssl x509 -noout -issuer -subject -dates
This prints the issuer, subject, and validity dates of the certificate pfSense is serving. If the issuer matches your CA and the dates are current, the installation is working. You can also simply open the GUI in a browser and inspect the padlock to confirm the chain resolves without warnings.
Where to buy the best SSL certificate for pfSense?
If you are looking for a great shopping experience, SSL Dragon is your best SSL seller. Our intuitive, user-friendly website guides you smoothly through the entire range of SSL certificates. Every product is issued by a reputable Certificate Authority and is fully compatible with pfSense.
Enjoy some of the lowest prices on the market and dedicated customer support for any certificate you choose.
And if you are struggling to find the perfect cert for your firewall, use our SSL Wizard to get a helping hand.
Frequently Asked Questions
Import certificates from the Certificate Manager at System > Certificates. Use the Authorities (CAs) tab for your root and intermediate certificates, and the Certificates tab for your server certificate and private key. After importing, assign the certificate to a service such as the web GUI.
Go to System > Advanced > Admin Access, set Protocol to HTTPS (SSL/TLS), choose your imported certificate in the SSL/TLS Certificate drop-down, and click Save. pfSense restarts the web GUI on the selected certificate. You must import the certificate into the Certificate Manager first before it appears in the drop-down.
The drop-down only lists certificates that have a matching private key. If you imported the certificate without its key, or pasted an encrypted key, pfSense will not offer it. Re-import the certificate using Import an existing Certificate and paste both the Certificate data and the unencrypted Private key data.
Yes. Import the intermediate (and root) certificates as CA entries under System > Certificates > Authorities so pfSense can send a complete chain. Without the intermediate, clients may report an untrusted or incomplete certificate chain even though the server certificate itself is valid.
Open the pfSense GUI over https:// and confirm the browser shows a valid padlock with no warning. From a computer with OpenSSL, you can also query the firewall directly:echo | openssl s_client -connect 192.168.1.1:443 -servername firewall.yourdomain.com 2>/dev/null | openssl x509 -noout -issuer -dates
If it returns your CA as the issuer and current validity dates, the certificate is installed and active.
Yes. Any certificate in the Certificate Manager can be reused across services. Select it from the certificate drop-down in the settings for HAProxy, the OpenVPN server, the Captive Portal, or other TLS-enabled services. One import can serve several roles.
Bottom line
Installing an SSL certificate on pfSense is a GUI-driven process: import the CA chain under System > Certificates > Authorities, import your server certificate and private key under the Certificates tab, then assign it to the web GUI in System > Advanced > Admin Access with Protocol set to HTTPS (SSL/TLS). Reuse the same certificate for OpenVPN or HAProxy as needed.
Need a certificate first? Browse our SSL certificates.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


