Hi,
there is a way to import external certificates and keys into OpenSense. Unfortunately those certificates can't be updated anymore, e.g. if the cert is going to expire.
The only way to workaround it to import cert and key again and then assign this certificate to all services that should use it.
This is IMHO unnecessary overheand and I don't understand why OpnSense is enforcing this create and delete process. But happy to learn the rational behind.
I know there are several scripts out there which are automating this, but it is still overhead, those scripts need access to the private key. And those scripts are not able to update the cert for all use cases e.g. captive portal. Most scripts require admin credentials. All things that not increasing the security.
As we all know CAs are going to reduce the lifetime of certificates to month for security reasons, so even imported certificates need to be replaced regularly.
As there are scripts out there updating imported certs seems to be a common use case, I think removing this limitation would be a nice improvement.
Thanks
Thomas
Best create a feature request on github if you want any developer attention to this matter.
Sounds like it can be improved, but it's nothing that wasn't the same for many years. The "risk" of editing a certificate is changing it entirely if we assume we match the key to the cert and update. If the outcome is expected is a question for the user later. ;)
So what Patrick said: please raise a feature request on GitHub for future reference.
Cheers,
Franco