bg-tutorials

How to Generate a CSR on pfSense

This guide shows you how to generate a CSR (Certificate Signing Request) on a pfSense firewall using the web GUI. You will create the request under System > Certificates, fill in your organization details and any SAN entries, and then export the encoded CSR to submit to your Certificate Authority. The matching private key is generated at the same time and stays on the firewall, so the signed certificate must be imported back onto the same pfSense instance later.

The steps match current pfSense releases (Community Edition 2.7.x and 2.8.x, and pfSense Plus 24.x). The menu labels and field names are identical across both editions.

Generate the CSR on pfSense

If you already generated your CSR somewhere else, skip ahead to After the CA issues your certificate and follow the import steps with the file your CA sent you.

Step 1: Open the Certificates screen

  • Log in to the pfSense web GUI as an administrator.
  • Go to System > Certificates (older builds label this menu Cert. Manager; both lead to the same screen).
  • Open the Certificates tab.
  • Click the + Add/Sign button at the bottom right of the certificate list.

Step 2: Choose the CSR method

The Add/Sign a New Certificate screen opens. At the top, set:

  • Method: Create a Certificate Signing Request. This is the option that produces a CSR for a public CA. It hides the Certificate Type and CA fields, because those only apply when pfSense is signing its own certificate.
  • Descriptive name: a label to identify the certificate inside pfSense, for example yourdomain.com 2026. This is internal only; it does not have to match the domain.

Step 3: Set the key options

Under Key Type, leave the defaults unless your CA requires otherwise:

  • Key type: RSA (or ECDSA if your CA and clients support it).
  • Key length: 2048 bits for RSA. 2048 is the minimum public CAs accept; 3072 or 4096 are also fine.
  • Digest Algorithm: sha256. Anything weaker (SHA-1, MD5) is rejected by every public CA and modern browser.

Step 4: Fill in the Distinguished Name

Under Certificate Signing Request (the lower half of the form), enter your organization details. These fields end up in the Subject of the issued certificate, so use the legal company name registered with your CA:

  • Country Code: the two-letter ISO country code, for example US.
  • State or Province: the full name, for example New Mexico. Do not abbreviate.
  • City: the full name of the city, for example Albuquerque.
  • Organization: the full legal name of your company, for example Your Company LLC.
  • Organizational Unit: this field is deprecated by the CA/Browser Forum and most public CAs strip it from issued certificates. Leave it blank.
  • Email Address: a working contact address at the same organization.
  • Common Name: the exact fully qualified domain name you want to secure, for example yourdomain.com. For a wildcard certificate, put an asterisk in front, for example *.yourdomain.com.

Step 5: Add Subject Alternative Names

Public CAs validate and present certificates by their Subject Alternative Name (SAN) entries, not the Common Name. Even single-name certificates need the CN repeated as a SAN, which pfSense does for you automatically. Add an extra SAN row for every additional host name or IP that should be on the certificate.

  • Under Alternative Names, click Add for each entry.
  • Set Type to FQDN or Hostname for a domain (for example www.yourdomain.com), or IP address for a literal IP. Public CAs only sign IP SANs on certain certificate products, so confirm with your CA before adding them.
  • Enter the value in the Value column.

If your CA’s order form lists a different SAN set than what you sent, the CA’s list wins: the certificate is issued for whatever names the CA validated, not necessarily every name in the CSR.

Step 6: Save the request

Scroll to the bottom and click Save. pfSense generates the CSR and its matching private key and stores them as a single entry on the Certificates tab, marked as a pending external request.

Important: do not delete this entry while you wait for the signed certificate. The private key lives only inside it, and pfSense uses the same entry to pair the issued certificate with the key when you import it.

Export the CSR and submit it to the CA

To copy the CSR text out of pfSense:

  • On the Certificates tab, find your new entry in the list.
  • In the Actions column at the right, click the Export Certificate Signing Request icon (the download arrow). pfSense saves a .req file to your computer.

Open the .req file in any plain-text editor (Notepad, TextEdit, VS Code). The contents look like this:

-----BEGIN CERTIFICATE REQUEST-----
MIIC1zCCAb8CAQAwgZExCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApOZXcgTWV4aWNv
... (base64 lines) ...
-----END CERTIFICATE REQUEST-----

During SSL enrollment, paste the whole block, including the BEGIN and END lines, into the CSR box on your CA’s or reseller’s order form.

Check the CSR before you submit it

It is worth confirming the CSR contains the right domain and organization details before you place the order, because a CSR cannot be edited after the fact: any change to the text invalidates the signature.

If you have OpenSSL on any machine, decode the exported request with:

openssl req -noout -text -in yourdomain.req

Check that the Common Name, the SAN entries, and the organization fields are correct. Without OpenSSL, paste the request text into our online CSR decoder for the same view. If anything is wrong, generate a new CSR on the firewall and submit that one instead.

You can also generate the CSR outside the firewall with our CSR Generator if you prefer to prepare the request details in a browser. In that case the private key is generated outside pfSense too, and you will import the certificate and key together as a bundle later.

After the CA issues your certificate

When the signed certificate comes back from the CA, import it into the same pending entry on pfSense so it is paired with the private key already stored there. Do not create a new certificate entry, and do not delete the pending one.

  • Go back to System > Certificates and open the Certificates tab.
  • In the row for your pending CSR, click the edit (pencil) icon in the Actions column to open the entry for update.
  • Paste the issued certificate (the contents of the .crt or .pem file the CA sent) into the Final Certificate data box and click Update.

The full installation procedure, including importing the intermediate CA and assigning the certificate to the pfSense web GUI, HAProxy, OpenVPN, or other services, is covered in our guide on how to install an SSL certificate on pfSense.

Once the certificate is live, verify it with our SSL Checker for an instant report on the certificate, the chain, and the protocol support negotiated by the firewall.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.