How about a valid signed certs for squid proxy?

@@unixfly use ACME package

Good to know the video was useful

Yes, I totally agree.. very clear and concise, the very opposite of me =)

Good to know the video was helpful Thanks for the feedback

I didn't cover that because there are so many ways to create one Some will use the CA on their NAS, maybe a Public CA, the CA with pfSense itself and so on In the case of internal CAs it would also require covering the topic of how to get browsers to trust the CA, etc I came to the conclusion that it wouldn't be practical to repeat this again and again in every video I create for different services I'd be repeating the same thing in every video and it just results in longer videos with content folks have already seen So I have one broad video covering OpenSSL for instance which shows how to setup the CA, server certificates, etc. kzbin.info/www/bejne/pIC2nWeaot6qm5o That way, if someone wants to use their NAS instead, they don't need to skip over that in this video

Thanks for the feedback, it's really appreciated The file needs to be sent to a certificate authority (CA) your web browser trusts, who will then send back a signed certificate There are too many options when it comes to CAs and everyone will have their own preference, so that's why I only said send it to a CA but didn't provide any details E.g. you can create your own CA on a NAS, on a Linux server using OpenSSL, even on pfSense itself I don't use a public CA myself as it's not a recommended practice, but each to their own Because I did an earlier video on how to create a CA using OpenSSL though, there's a section at the end on how you can use that to get a signed certificate for pfSense

@@TechTutorialsDavidMcKone I am trying to understand the general idea of this method. After the certificate request is send, was sent where? Isn t somewhere needed an option to set where this ssl/tlc certificate exists? Else how is it going to know the destination of that request? (you kind anwered still how do I know what the browser trusts or not? and where is that option to change the ca inside the pfsense at least before exporting the file) Do you trick the browser in order to copy paste the pending certificate for approval and you use it in the certificate you exported?

The idea is that you create a certificate request (CSR) and send that to a certificate authority (CA) How you send that depends on the CA, but it could involve uploading the CSR file we exported to a website for instance The CA will carry out background checks and if everything is OK, they'll create a signed certificate that was created by one of their root or intermediary CA servers How you get that certificate again depends on the CA, but you might download it from their website Once you have this certificate you update pfSense in this case by copying and pasting it in and this completes the certificate request process The end result is pfSense now has a signed certificate stored on it's hard drive But we have to re-configure pfSense so that it presents the signed certificate to web browsers going forward By default, web browsers come supplied with what are called root certificates from various publicly trusted CA servers If a web server presents a certificate signed by one of them, there's nothing else to do on a web browser because they trust the root certificate and any certificate signed by the server it came from But that's not a recommended practice for internal servers It's better to have your own root/intermediary CA server and sign these yourself because you don't want to make internal computer information publicly available There are different ways to do this although I've covered OpenSSL for instance in a separate video For that, I copied the exported file to my root CA using SFTP, created a certificate, then copied that to the PC so I could add it to pfSense Now a web browser won't trust a certificate from an internal CA by default and so you have to add the root certificate from your own CA server to your web browser, which I also covered in the other video After that it will trust any certificate signed by your root server

@@TechTutorialsDavidMcKone So basically if I want to use my own domain managed by cloudflare and it's 15yr signed certificates All i need t do then is go to the Manage Certificates section in pfsense 1. Add/import (basically copy) over the CERTIFICATE BEGIN AND KEY into the certificates section 2. Follow the reset to the video Optionally add the root cloudflare CA pem file they let you download Or do we need to create CSR for any external cloudflare Certificates for instance? TIA

The pfsensemgmt.crt file is a SSL/TLS certificate file that I created using OpenSSL for pfSense But first you need to create a certificate request in pfsense You then get a certificate authority to sign that and give you an actual certificate to use But I did that myself using OpenSSL Back in pfSense paste the contents of that crt file into the Final certificate data field That gives you a certificate to use in pfSense Make sure the Alternate Hostname in the Admin Access page is correct and matches what the certificate supports and what you point your browser to e.g. fw.templab.lan in my case Then select the new certificate from the drop down menu SSL/TLS Certificate to tell pfSense to use it

@@TechTutorialsDavidMcKone Thank you for the reply. I am still blur with your explanation. Anyway, I figured it out and pfsense itself has an option to "sign a certificate request ". I used that and it works. Thank you again for your prompt reply.

I copied the request to my Root CA Then used OpenSSL to create a signed certificate my browser would trust I then copied that to my computer

I made it up as it's an internal domain Only public facing servers need to use public domain names And using different domain names makes it easy to know if you're connecting to an an internal computer or an external one

@@TechTutorialsDavidMcKone did you do something in the dns resolver? Like override host or domain overrides to direct any search queries to your domain name(firewall)?

@@_rrrrr6798 I built an internal DNS server which resolves that common name to the static IP address the firewall uses

@@TechTutorialsDavidMcKone oh okay thank you!

Using a Public CA for internal servers doesn't fit security guidance They have to do some form of checking and even a DNS check will expos internal information to the wider public making reconnaissance easier Security is all about layers, so for Internal servers it's better to use an internal CA pfSense can act as a CA itself although I covered how to create your own CA using OpenSSL in a separate video While none of that is covered in this video, I wanted to avoid duplicating the same information in multiple videos which saves time for everyone

@@TechTutorialsDavidMcKone This may seem 'trivial' but it is clearly the most difficult part of the process. If you have another video on this you should reference that.

@@orcrist484 Like I said, there are too many ways to do this Some folks may use a CA on a NAS for instance and I won't know how that works If it helps, I used OpenSSL, and a card linking to it should have popped up when I mentioned it in the video But if you're interested in setting it up I have another video here kzbin.info/www/bejne/pIC2nWeaot6qm5o

Thanks for the feedback I did mention OpenSSL in the video which is a free option. It's covered at the end And I have another video showing how to install that if that's what you're interested in pfSense also has it's own CA so you could use that but I don't as I prefer to keep a firewall just doing firewall services so it's less likely to be vulnerable

It really depends on the certificate authority

@@TechTutorialsDavidMcKone thank you for the response, hopefully they'll approve it asap :)

Because there are lots of different ways to get a certificate request signed and it depends on what the firewall is being used for The video is more about how to create the signing request and how to then install the signed certificate However, at the end I do offer a way to do this using OpenSSL for anyone who will be using that method

@@TechTutorialsDavidMcKone Okay thanks!

Let's Encrypt like other Public CAs provide certificates for Public facing devices i.e. ones that are meant to be accessed over the Internet Part of the CA's job involves validating the request e.g. Microsoft don't want somebody else setting up a server and pretending that it belongs to microsoft.com So to use a Public CA you have to expose information about your network/device as part of that validation, even when it's automated, to prove your request is legitimate And once you do, it's then in the Public domain Now that's fine for a Public facing server as that information is already Public knowledge But it's a terrible idea for devices on an internal network I've worked in IT for a long long time and you sometimes have to jump through hoops to exchange IT information like this, even if they're trusted 3rd parties Because the last thing anybody wants is to make a hacker's life easier by making that information Public So unless the device is meant to be exposed to the Internet, you should run your own internal CA for TLS certificates Then you set up your devices to trust it and you issue your own internal certificates to your internal servers

Now that says something I've got used to the annoying update reminder, but didn't notice the font