In this guide, you’ll learn how install an ACME SSL certificate on pfSense. The firewall now supports the ACME protocol natively through its built-in package, which lets you automate SSL certificate issuance and renewal.

This process works with commercial certificate authorities (CAs) that support ACME + External Account Binding (EAB).
Before You Start
You’ll need:
- A pfSense 2.7 or Plus 23.x firewall with Internet access.
- SSH or WebGUI admin access.
- Your CA’s ACME directory URL, EAB Key ID, and HMAC key.
- A public domain (for example,
vpn.example.com) that resolves to your pfSense WAN IP.
Step 1: Install the ACME Package
- Go to System > Package Manager > Available Packages.
- Search for acme.
- Click Install, then confirm.
- After installation, you’ll find a new menu at Services > ACME Certificates.
Step 2: Create an ACME Account Key
- In the pfSense menu, go to Services > ACME Certificates > Account Keys.
- Click + Add to create a new account.
- Fill out these fields exactly as follows:
- Name – Give the account an easy identifier (for example Sectigo-EAB).
- ACME Server URL – Paste your CA’s directory endpoint, e.g. https://acme.sectigo.com/v2/DV
- Email Address – Enter the admin contact used with your CA.
- EAB Key ID and EAB HMAC Key – Insert both values provided by your CA. (These fields appear in the GUI only if your CA requires External Account Binding.)
- Click Create new account key, then Register ACME account key.
If the EAB fields aren’t visible in your pfSense build, you can still register normally, then later use an external ACME client (such as acme.sh) to issue and import certificates manually. Functionally, both paths work with commercial CAs that support ACME + EAB.
Step 3: Add a New Certificate Entry
- Go to Services > ACME Certificates > Certificates.
- Click + Add and name the entry (e.g., vpn-example).
- Under Account Keys, select the account you created earlier.
- In the Domain SAN List, add your domain (e.g., vpn.example.com).
- For Challenge Type, choose HTTP-01 (recommended).
- In the Method, pick webroot local folder or standalone depending on your setup.
- Click Save and Apply.
Step 4: Set Up HTTP Validation
The CA must reach your pfSense device on port 80 to confirm domain ownership.
If you already use port 80 for another service, temporarily redirect or forward it to pfSense’s internal webroot.
Make sure any HTTPS redirection allows the pathhttp://vpn.example.com/.well-known/acme-challenge/ to stay on plain HTTP.
For edge cases behind NAT or reverse proxies, use a port-forward or virtual server rule to ensure external access to that validation path.
Step 5: Issue the Certificate
Back in Services > ACME Certificates, click the Issue/Renew button for your certificate.
You’ll see live logs showing each step:
- Account verification
- Domain validation
- Certificate issuance
Once complete, your new certificate will appear under System → Certificates.
Step 6: Apply the Certificate
Use your new SSL certificate for any service on pfSense:
- WebGUI: System > Advanced > Admin Access > SSL Certificate
- OpenVPN / IPsec / HAProxy: select the same certificate from their respective dropdowns
- Click Save and Apply Changes
The ACME package handles renewals automatically. By default, pfSense renews certificates 30 days before expiration.
To check or trigger manually go to Services > ACME Certificates > Issue/Renew
Fallback Method: Generate the Certificate Externally and Import It into pfSense
If your commercial CA’s ACME flow doesn’t register directly inside pfSense, you can still issue the certificate on another Linux or BSD server and import it manually. This method works with any CA that supports ACME + External Account Binding (EAB) and is the most reliable fallback for complex or unsupported environments.
Step 1: Set up ACME.sh
On any Linux or BSD machine with internet access, install the ACME client:
curl https://get.acme.sh | sh
source ~/.bashrc
This installs acme.sh in your home directory and prepares it for use with commercial ACME endpoints.
Step 2: Register your ACME account with your CA
Use the credentials from your CA’s ACME portal, the directory URL, Key ID, and HMAC key.
acme.sh --register-account \
--server https://acme.yourca.com/v2/acme \
--eab-kid YOUR_EAB_KID \
--eab-hmac-key YOUR_EAB_HMAC_KEY \
--accountemail [email protected]
This step authenticates your system with the CA’s ACME service. You only do it once per account.
Step 3: Request the certificate
Issue a certificate for your pfSense domain (for example vpn.example.com).
acme.sh --issue \
-d vpn.example.com \
--server https://acme.yourca.com/v2/acme \
--eab-kid YOUR_EAB_KID \
--eab-hmac-key YOUR_EAB_HMAC_KEY \
--standalone
If your CA or network setup requires DNS validation instead, replace the last line with --dns dns_cf (Use the DNS plugin that matches your provider.)
When finished, the certificates are stored under: ~/.acme.sh/vpn.example.com/
Step 4: Locate the files
Inside that folder, you’ll see:
- fullchain.cer — certificate and intermediate chain
- vpn.example.com.key — private key
- ca.cer — CA root/intermediate certificate
These are the files you’ll upload to pfSense.
Step 5: Import the certificate into pfSense
Log in to pfSense and go to System > Certificates.
- Click Add/Import.
- Paste the contents of your certificate (
fullchain.cer) and private key (vpn.example.com.key). - Optionally, add the CA chain (
ca.cer). - Click Save.
pfSense will now recognize and store this commercial certificate as valid.
Step 6: Apply and automate
You can now use the imported certificate for:
- System > Advanced > Admin Access (WebGUI)
- OpenVPN or IPsec servers
- HAProxy or Nginx packages
For renewals, automate the process by scheduling a cron job on your external host to renew with acme.sh, then re-upload the files to pfSense using SCP or the pfSense API.
Common Questions
If you’re setting up ACME with a commercial CA for the first time, check the answers to the most frequent questions:
Can I use this with any CA?
You can use this with a CA that provides an ACME Directory URL and EAB credentials (like Sectigo or DigiCert).
Which port is required for validation?
Only port 80 (HTTP). Don’t redirect it to HTTPS until validation completes.
Why did my validation suddenly start failing after it worked before?
If your ACME setup was working and suddenly fails, it’s usually caused by a network or DNS change. Check if your WAN IP or NAT rule changed, or if a new firewall policy is blocking inbound HTTP (port 80). Also make sure your domain still resolves to the same public IP. ACME validation depends on external reachability. Even one redirect or blocked port can break it.
Can I share EAB credentials across devices?
It depends on your CA, some require unique credentials per domain or appliance.
Final Words
With this setup, you can install an ACME SSL Certificate on pfSense from commercial CAs that supports EAB and maintain full automation over its lifecycle. It’s a stable, enterprise-grade way to keep your VPNs, WebGUI, and reverse proxies continuously trusted without manual renewals, broken chains, or downtime interrupting critical services.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

