bg-tutorials

How to Install an ACME SSL Certificate on pfSense

In this guide, you’ll learn how install an ACME SSL certificate on pfSense. The firewall now supports the ACME protocol natively through its built-in package, which lets you automate SSL certificate issuance and renewal.

pfsense ACME SSL

This process works with commercial certificate authorities (CAs) that support ACME + External Account Binding (EAB).


Before You Start

You’ll need:

  • A pfSense 2.7 or Plus 23.x firewall with Internet access.
  • SSH or WebGUI admin access.
  • Your CA’s ACME directory URL, EAB Key ID, and HMAC key.
  • A public domain (for example, vpn.example.com) that resolves to your pfSense WAN IP.

Step 1: Install the ACME Package

  1. Go to System > Package Manager > Available Packages.
  2. Search for acme.
  3. Click Install, then confirm.
  4. After installation, you’ll find a new menu at Services > ACME Certificates.

Step 2: Create an ACME Account Key

  1. In the pfSense menu, go to Services > ACME Certificates > Account Keys.
  2. Click + Add to create a new account.
  3. Fill out these fields exactly as follows:
    • Name – Give the account an easy identifier (for example Sectigo-EAB).
    • ACME Server URL – Paste your CA’s directory endpoint, e.g. https://acme.sectigo.com/v2/DV
    • Email Address – Enter the admin contact used with your CA.
    • EAB Key ID and EAB HMAC Key – Insert both values provided by your CA. (These fields appear in the GUI only if your CA requires External Account Binding.)
  4. Click Create new account key, then Register ACME account key.

If the EAB fields aren’t visible in your pfSense build, you can still register normally, then later use an external ACME client (such as acme.sh) to issue and import certificates manually. Functionally, both paths work with commercial CAs that support ACME + EAB.


Step 3: Add a New Certificate Entry

  1. Go to Services > ACME Certificates > Certificates.
  2. Click + Add and name the entry (e.g., vpn-example).
  3. Under Account Keys, select the account you created earlier.
  4. In the Domain SAN List, add your domain (e.g., vpn.example.com).
  5. For Challenge Type, choose HTTP-01 (recommended).
  6. In the Method, pick webroot local folder or standalone depending on your setup.
  7. Click Save and Apply.

Step 4: Set Up HTTP Validation

The CA must reach your pfSense device on port 80 to confirm domain ownership.

If you already use port 80 for another service, temporarily redirect or forward it to pfSense’s internal webroot.

Make sure any HTTPS redirection allows the path
http://vpn.example.com/.well-known/acme-challenge/ to stay on plain HTTP.

For edge cases behind NAT or reverse proxies, use a port-forward or virtual server rule to ensure external access to that validation path.


Step 5: Issue the Certificate

Back in Services > ACME Certificates, click the Issue/Renew button for your certificate.

You’ll see live logs showing each step:

  • Account verification
  • Domain validation
  • Certificate issuance

Once complete, your new certificate will appear under System → Certificates.


Step 6: Apply the Certificate

Use your new SSL certificate for any service on pfSense:

  • WebGUI: System > Advanced > Admin Access > SSL Certificate
  • OpenVPN / IPsec / HAProxy: select the same certificate from their respective dropdowns
  • Click Save and Apply Changes

The ACME package handles renewals automatically. By default, pfSense renews certificates 30 days before expiration.

To check or trigger manually go to Services > ACME Certificates > Issue/Renew


Fallback Method: Generate the Certificate Externally and Import It into pfSense

If your commercial CA’s ACME flow doesn’t register directly inside pfSense, you can still issue the certificate on another Linux or BSD server and import it manually. This method works with any CA that supports ACME + External Account Binding (EAB) and is the most reliable fallback for complex or unsupported environments.

Step 1: Set up ACME.sh

On any Linux or BSD machine with internet access, install the ACME client:


curl https://get.acme.sh | sh
source ~/.bashrc

This installs acme.sh in your home directory and prepares it for use with commercial ACME endpoints.

Step 2: Register your ACME account with your CA

Use the credentials from your CA’s ACME portal, the directory URL, Key ID, and HMAC key.

acme.sh --register-account \
  --server https://acme.yourca.com/v2/acme \
  --eab-kid YOUR_EAB_KID \
  --eab-hmac-key YOUR_EAB_HMAC_KEY \
  --accountemail [email protected]

This step authenticates your system with the CA’s ACME service. You only do it once per account.

Step 3: Request the certificate

Issue a certificate for your pfSense domain (for example vpn.example.com).

acme.sh --issue \
  -d vpn.example.com \
  --server https://acme.yourca.com/v2/acme \
  --eab-kid YOUR_EAB_KID \
  --eab-hmac-key YOUR_EAB_HMAC_KEY \
  --standalone

If your CA or network setup requires DNS validation instead, replace the last line with --dns dns_cf (Use the DNS plugin that matches your provider.)

When finished, the certificates are stored under: ~/.acme.sh/vpn.example.com/

Step 4: Locate the files

Inside that folder, you’ll see:

  • fullchain.cer — certificate and intermediate chain
  • vpn.example.com.key — private key
  • ca.cer — CA root/intermediate certificate

These are the files you’ll upload to pfSense.

Step 5: Import the certificate into pfSense

Log in to pfSense and go to System > Certificates.

  1. Click Add/Import.
  2. Paste the contents of your certificate (fullchain.cer) and private key (vpn.example.com.key).
  3. Optionally, add the CA chain (ca.cer).
  4. Click Save.

pfSense will now recognize and store this commercial certificate as valid.

Step 6: Apply and automate

You can now use the imported certificate for:

  • System > Advanced > Admin Access (WebGUI)
  • OpenVPN or IPsec servers
  • HAProxy or Nginx packages

For renewals, automate the process by scheduling a cron job on your external host to renew with acme.sh, then re-upload the files to pfSense using SCP or the pfSense API.


Common Questions

If you’re setting up ACME with a commercial CA for the first time, check the answers to the most frequent questions:

Can I use this with any CA?

You can use this with a CA that provides an ACME Directory URL and EAB credentials (like Sectigo or DigiCert).

Which port is required for validation?

Only port 80 (HTTP). Don’t redirect it to HTTPS until validation completes.

Why did my validation suddenly start failing after it worked before?

If your ACME setup was working and suddenly fails, it’s usually caused by a network or DNS change. Check if your WAN IP or NAT rule changed, or if a new firewall policy is blocking inbound HTTP (port 80). Also make sure your domain still resolves to the same public IP. ACME validation depends on external reachability. Even one redirect or blocked port can break it.

Can I share EAB credentials across devices?

It depends on your CA, some require unique credentials per domain or appliance.


Final Words

With this setup, you can install an ACME SSL Certificate on pfSense from commercial CAs that supports EAB and maintain full automation over its lifecycle. It’s a stable, enterprise-grade way to keep your VPNs, WebGUI, and reverse proxies continuously trusted without manual renewals, broken chains, or downtime interrupting critical services.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.