I recently decided to rewrite this article from scratch. I made a blogpost about how easy it is to do this with pfSense before but I only touched setting up the root-ca part. In theory this is enough, certainly for a home lab. However it brings some complexity if you start with intermediate and issuing certificate authorities and if you need to export/import the complete chain. This series will cover all that.

So in this blog post we will set up the root certificate authority, easy-peasy.

In the pfSense administration console head to System > Certificate Manager and under CAs click “+ Add”.

Select the appropriate key type and algorithm, fill in the values and hit Save.

Basically this is it. We now have a working certificate authority. Trusting this certificate authority on your device would make your device trust all the certificates that will be issued by it (if the certificates follow the security standards).

We can export the certificate using the icon marked with the red circle. Now we can import the certificate in Windows in the “Trusted Root Certificate Authorities” folder or on macOS in the “System Keychain” and selecting “Always Trust”.