πŸ” pfSense + LDAP Authentication Setup Guide

A step-by-step guide to integrate pfSense with Active Directory over secure LDAPS using a Let’s Encrypt certificate issued via DNS validation.

βœ… 1. Prerequisites

  • πŸ–₯️ Windows Server 2025 as Domain Controller (DC)
  • 🌐 A pfSense firewall instance
  • 🌍 A domain name (e.g., packetrealm.io)
  • ☁️ Cloudflare for DNS management
  • πŸ”’ Admin access to pfSense Web UI
  • πŸ“Ά Internet access from the Domain Controller

🌐 2. Configure DNS in Cloudflare

  1. Log in to your Cloudflare dashboard
  2. Select your domain (e.g., packetrealm.io)
  3. Navigate to DNS β†’ Add an A record:
    • Name: dc
    • IPv4 address: IP of your DC (LAN IP or WAN if accessible)
    • Proxy status: βšͺ DNS only
  4. Save and verify with: 
    nslookup dc.packetrealm.io

πŸ“œ 3. Issue TLS Certificate via Win-ACME (Manual DNS)

🧰 3.1 Download Win-ACME

  • πŸ‘‰ Download Win-ACME
  • Use the win-acme.v2.x.x.x.x64.trimmed.zip version
  • Extract to C:\win-acme

πŸ“₯ 3.2 Issue Certificate (Manual DNS-01)

cd C:\win-acme
.\wacs.exe
  1. Choose M β†’ Create new certificate with advanced options
  2. Enter: dc.packetrealm.io
  3. Choose DNS-01 challenge
  4. Select Manual for DNS update method
  5. Add TXT record in Cloudflare:
    • Name: _acme-challenge.dc
    • Value: TXT value from wacs
  6. After propagation, hit Enter to continue

πŸ” 3.3 Verify Certificate

  • Open mmc.exe
  • Add Certificates β†’ Local Computer
  • Navigate to Personal β†’ Certificates
  • Ensure:
    • Issued to: dc.packetrealm.io
    • Enhanced Key Usage: Server Authentication

πŸ” 3.4 Restart NTDS

Restart-Service ntds

πŸ”— 4. Import Let’s Encrypt Root CA to pfSense

πŸ“„ 4.1 Download Root Certificate

πŸ› οΈ 4.2 Add to pfSense

  1. Go to System β†’ Cert Manager β†’ CAs
  2. Click Add
  3. Name: Let’s Encrypt ISRG Root X1
  4. Paste entire PEM contents
  5. Save βœ…

πŸ‘€ 5. Create LDAP Bind Account (Best Practice)

  1. Open Active Directory Users and Computers
  2. Create OU: ServiceAccount (if needed)
  3. Add user: ldapbind
  4. Set password + Password never expires
  5. Example DN: 
    CN=ldapbind,OU=ServiceAccount,DC=packetrealm,DC=io

🧩 6. Configure LDAP in pfSense

  1. Go to System β†’ User Manager β†’ Authentication Servers
  2. Click Add:
    • Type: LDAP
    • Hostname: dc.packetrealm.io
    • Port: 636
    • Transport: SSL
    • Peer CA: Let’s Encrypt ISRG Root X1
    • Base DN: DC=packetrealm,DC=io
    • Bind DN: CN=ldapbind,OU=ServiceAccount,DC=packetrealm,DC=io
    • Password: your ldapbind password
  3. Save & test with Diagnostics β†’ Authentication

πŸ” 7. Enable LDAP Authentication in pfSense

  • Go to System β†’ User Manager β†’ Settings
  • Set your LDAP server as the authentication backend
  • Apply settings

πŸ”„ 8. Automate Certificate Renewal

  • βœ… Win-ACME installs a scheduled task
  • It auto-renews and places cert in Local Computer > Personal
  • pfSense trusts it through the CA, no re-import needed
  • Monitor expiry as a safeguard

πŸ› οΈ 9. Troubleshooting

Test LDAPS connectivity

openssl s_client -connect dc.packetrealm.io:636

DNS check from pfSense

nslookup dc.packetrealm.io
  • Check Windows Event Viewer for AD or certificate issues
  • Use Status β†’ System Logs β†’ System β†’ Authentication in pfSense