You can use easy-rsa on pfSense to generate your OpenVPN keys.
WARNING: This may not be the ideal situation for deploying your PKI. If your OpenVPN server is compromised, your entire PKI will be compromised. This is typically of very little concern, as access to the firewall is highly restricted, and in most networks it's likely the most secure and least accessible device on the network.
Install
Just run the following from a SSH session:
# fetch -o – http://files.pfsense.org/misc/easyrsa-setup.txt | /bin/sh
This will download the files, extract them, and remove the downloaded file. After doing this, you will be prompted to run the next step manually. Copy and paste the last line displayed to generate your certificates (NOTE: If you have gone through this process previously, repeating this will wipe out all your existing certificates!)
# cd /root/easyrsa4pfsense && ./PFSENSE_RUN_ME_FIRST
This will first prompt you for your location and organization information, to be used when generating the certificate authority and initial certificates, and as defaults when creating additional certificates in the future. It will then create your certificate authority, a server certificate, and one client certificate. These files can be found in the /root/easyrsa4pfsense/keys/ directory.
If you are prompted for a challenge password, you most likely will want to leave it blank. Press enter at the challenge password prompt, and again on the confirm prompt.
Creating a client key
To create a new client key, SSH into the firewall, choose option 8 and run:
# cd /root/easyrsa4pfsense
# source vars
# ./build-key clientXXXX
Where clientXXXX is the name of the client.
You'll then find the client's keys in /root/easyrsa4pfsense/keys/
Revoke a client key
To revoke the key for client1:
# cd /root/easyrsa4pfsense/
# source vars
# ./revoke-full client1
Which will update the crl.pem file, the contents of which need to go into the pfSense OpenVPN GUI in the CRL field.
source: PFSense Docs