How to use OPNSense as a Certificate Authority (CA)

OPNSense is a popular BSD-based routing and security appliance loved by many for its ease of use and vast feature set. Originally a fork of PFSense, OPNSense took the deliberate move to rearchitect certain components in the interests of pushing new features faster. OPNSense works incredibly well in a virtual environment, and indeed is a popular choice as the bedrock upon which a home lab can be built. Today we will be investigating installing OPNSense on top of VMware, briefly touching on some of the most commonly used features, and detailing its use as an internally signed certificate authority. There are a couple of poorly documented “gotchas” which warrant explanation. Another hypervisor such as HyperV, ProxMox or Xen can be used in place of VMware if so desired.

Getting Started

OPNSense can be downloaded from opnsense.org/download/ .

Download OPNSense

In a VMware environment, the DVD distribution is likely the most friendly. The ISO will download as a BZ2 archive, and can be unzipped with software such as 7-zip www.7-zip.org/download.html.

Once unzipped, upload the ISO to your VMware datastore or content library from the web interface.


Creating your VM

Select the first option “Creation a new virtual machine”.

OPNSense Create VM

Select “Other” for your Guest OS family, and choose “FreeBSD 12 (64-bit)”.

OPNSense Select VM OS

For most use cases, 2 vCPUs, 4GB of RAM and 40 GB of hard drive space will suffice. Today we will be installing OPNSense with only a WAN interface, but one popular configuration is to create a new vSwitch in VMware. This VM’s LAN interface would live on that port group, and serve as the gateway for all other VMs on that segment.

OPNSense VM Settings

Select “Finish” to create the virtual machine.

OPNSense VM Complete

If you have already uploaded your ISO to a datastore or content library, you can skip this step. Otherwise, navigate to “Storage” and select your destination. Select “Datastore Browser”

OPNSense VM Datastore
OPNSense VM Datastore Browser

Click into the folder where you want your ISO to reside, and select “Upload”.

Datastore Browser

A file picker will let you select a location from which to choose your local ISO.

Once your ISO has been uploaded, right click your VM from the “Virtual Machines” view and select “Edit”.

opnsense edit settings

Under CD/DVD, expand with the arrow on the lefthand side.

opnsense edit settings CD/DVD

From the dropdown change “Host Device” to “Datastore ISO File”. Select your ISO from the location in your vSphere or ESXI environment where it was uploaded. Make sure to check both “Connect” and “Connect at power on” (See image below).

opnsense edit settings to connect at power on

Select “Save” to commit your changes.

Right click on the VM and select “Power On”.

It will take quite some time for the VM to boot.



Installing OPNSense

installing OPNSense

You will need to wait until it presents the following scree with a login prompt.

OPNSense Login

Login at the console with default username and password root / opnsense.

OPNSense Options

With a single interface, OPNSense defaults secure to having it be your LAN interface, unreachable by other components on your network. Type ‘1’ and select Enter to assign interfaces.

OPNSense Configure VLAN

Type ‘N’ and press enter. We are not configuring VLANs.

OPNSense Configure WLAN

Select type the name of your only interface displayed above, in my case vmx0. Press Enter.

OPNSense Firewall

Press Enter without typing anything to continue.

OPNSense proceed

Type ‘Y’ and hit enter to commit your changes.

OPNSense Finished Install

If your environment is like mine and has a DHCP server, an IP address on your local network will appear up top. Otherwise, you can type ‘2’ to begin the wizard to set a manual IP for OPNSense. (This is beyond the scope of this tutorial).

Visiting this IP, we are presented with a login page for OPNSense. Use the same username / password combo of root / opnsense to login.


Creating your Root Certificate

OPNSense create root CA

OPNSense is capable of many things, but today our singular purpose is to have an easy GUI based internal CA at our fingertips, perfect for a small office or home lab.

On the lefthand side, navigate to System -> Trust -> Authorities.

OPNSense Trust Authorities

Select the + sign on the upper right to begin creating our root certificate.

OPNSense Create Root Certificate

Give the authority a name, and change the dropdown to “Create an internal certificate authority”. Optionally, if you have an existing CA created with OpenSSL, it can be imported here for ease of management.

OPNSense Naming Root Certificate

Populate the following information:

Key Type: RSA is the most compatible, but Elliptic Curve is more efficient.
Key Length: 2048 will be acceptable for at least the next few years. For a more future-proof deployment, select 4096.
LifeTime: This dictates when your internal CA will expire. Typically these are set to at least 10 years.

The rest of the fields will populate the X509 certificate for your root CA with common name, locality, organization, and email address.

Select “save”.

Trust Authorities

Select the first “Download” option to download the public certificate of your CA locally. You will need it when you configure it on clients. Mouse over these buttons for a textual description of the action.

Download Public Certificate

Select the second download option to download a file containing the private key of your root CA. This must be protected dearly. The security of our deployment ultimately chains back to keeping this secret.

Take the private key and put it on a flash drive in a safe location. It is a best practice for it to remain perpetually offline. We will create an intermediate CA, and should the intermediate CA ever become compromised we would use the private key of the root CA to revoke it.


Creating your Intermediate Certificate

Select the + again at the top right.

This time,

OPNSense Create Intermediate Authorities
OPNSense Create Intermediate Authorities 2

The values requested will be largely the same as creating the root, but make sure to name the Intermediate Certificate in a way that will make sense later.

Select “Save”.

Now, perhaps counterintuitively, DELETE your Root CA with the garbage can icon. It is a best practice for the root CA to remain offline and for the intermediate certificate to be used to issue certificates.

Download Public Intermediate Certificate

Take this time to download the public key for your intermediate certificate. This along with the public key from the root certificate will be needed to build a full chain.

Now, under System -> Trust -> Certificates, we can issue one or more end-entity certificates by selecting the + sign.

OPNSense Create Certificate

Change the drop down to “Create an internal certificate”.

Certificate Details

From here, we can issue a certificate without even needing a CSR. Make sure to select “Server Certificate” if you want to use your SSL/TLS certificate for an endpoint. Client certificate is for mutual authentication (which is a great way to authenticate to a reverse proxy! See www.ssltrust.com/help/setup-guides/client-certificate-authentication. Make sure to populate subject alternative names. Newer browsers require these to trust an endpoint.

Optionally, the dropdown choice “Sign a Certificate Request” allows us to sign a CSR generated from another system. This is a best practice so that the private key does not need to live on OPNSense.

OPNSense Sign Certificate Request

Creating a certificate on OPNSense allows you to download a certificate in PCKS#12 (PFX) format for easy import onto windows machines.

OPNSense Trust Certificates



Using these certificates

Like a publicly trusted CA, the root certificate must be installed in the certificate store of the client. (For chrome, edge, or internet explorer the operating system’s certificate store is used. For Firefox, this behavior depends on GPO in Windows environments but defaults to its own local in-browser certificate store.) Programs like java maintain a CACerts file which stores root certificate in JKS format. Whatever the certificate store, in order for trust to happen, the public key of your root certificate must be installed there.

The intermediate certificate on the other hand does NOT need to be known to your client beforehand. Instead, your server software should serve BOTH the end-entity certificate and the intermediate certificate as a hint for the client to be able to create a valid chain.


Conclusion

Creating an Internal CA can seem like a daunting task, but if your organization is still in the dark ages of self-signed certificates, this guide can serve as a roadmap for taking things to the next level in terms of confidentiality and integrity. With a little elbow grease and freely available tools, even a complete novice can create an internal certificate authority complete with an intermediate authority!

Discussions and Comments

Click here to view and join in on any discussions and comments on this article.

Written by
Jeremy Schatten

Tags: #PKI

Helpful Guides

View more Guides, FAQs and information to help with your Certificate purchases.

Learning Centre

View more resources on cyber security, encryption and the internet.