Pfsense and ADCS

If you use a pfsense in your company, school …. with an active directory, nowadays Microsoft strongly recommends for a question of security, to encrypt your ldap connections. But since the version of PFSense 2.5.xx it is necessary to import the authoritative certificate of your LDAP. (An upcoming procedure to explain how to create an ADCS from your Active Directory). We will therefore proceed to my LAB demo which is HOME.LAN.

After creating an authority certificate on your AD server, you open the utility Certification Authority :

Then right-click on your certificate (example: home-AD01-CA) then the All Tasks menu and select Back up CA :Paragraph.

We click on Next then we select Private key and CA certificate and we choose the location of the backup :Paragraph. 

Choose to put a password (recommend) or nothing then click on Next and Finish :

And so we find the certificate in p12 format :Paragraph.

Now that the CA of the AD is created, we will convert it to pem to copy on your PFSense. From a windows desktop you can install openssl or use a Gnu/Linux distro to convert it. Here is the command to convert to pem :

openssl pkcs12 -clcerts -nokeys -out apns-cert.pem -in apns-cert.p12

Now we connect from the PFSense firewall then we go to the Certificate Manager menu then we click on the Add button in the CAs section :

In the Description we indicate the name of the server ex: AD01 and we select the Method: Import an existing Certificate Authority.
We select Trust Store, then with a text editor we copy the certificate and we paste in Certificate Data and you click on the Save menu.

Paragraph. Cliquez ici pour modWe go back to our Server Authentication then click on the modify button on the AD01 server as an example :

If you use OPNSENSE or DynFi, you must also check Trust Store in System - Settings - General : 

In the Transport menu, choose SSL/TLS Encrypted, then the AD01 certificate in Peer Certificate Authority , and click on the SAVE button :

Now we are going to do a test in the Diagnostics menu then Authentication, so we select the AD01 server and we test with an authorized user between your PFSense and the AD and normally it should work :

Now our connection between the PFSense and the active directory is encrypted and secure.
Of course it is recommended for optimal operation that the dns in your firewall is by default only your dns, for example my internal dns is that of the active directory and also your own ntp server. ​

Note also after creating your groups for example I created an admin group for my AD admin users and a group for normal users to export their openvpn configuration. It is preferable to configure the vpn group by default as login (while having configured the restrictions in this group) like exemple (For OPNSense or Dynfi) : 

Also remember to preferably use your AD admin account by default and avoid logging in with the local admin account. Finally, it all depends on how you want to manage your OPNSense or Dynfi firewall like exemple :