Hello,
Sorry if this has already been discussed, but I couldn't find any topics on it.
Could the option to edit existing certificates/SSLs through the Web UI be enabled in future releases?
Background:
We use OPNsense at my workplace, and we manage many firewalls across our environment.
Our certificates are generated on a bastion host using letsencrypt, and we distribute the certificates to all of our firewalls from there.
Generating certificates using letsencrypt is not an option for us due to the sheer number of hosts that must have certificates generated.
We then use the api/trust/cert (https://docs.opnsense.org/development/api/core/trust.html#id2) controller's 'set' command to edit the certificate in-place for all OPNsense firewalls with the certificate.
This workflow works really well, but there are occasionally failures on a few firewalls here and there.
The problem we face is when editing a certificate in the Web UI, the "Manual" option is not made available; you're only allowed to create a CSR or reissue and replace.
Ideally, this would be an option for manually updating a certificate in-place without having to import a new certificate.
This topic will become more relevant in the coming years as the letsencrypt durations shorten (https://community.letsencrypt.org/t/upcoming-changes-to-let-s-encrypt-certificates/243873) and my organization shifts towards longer-lived purchased certificates.
Quote from: bnassif on January 26, 2026, 06:24:56 PMmy organization shifts towards longer-lived purchased certificates.
All public certificates will be limited to 47 days from 2029 on. You won't be able to buy longer running ones.
This does not apply to certificates you create and sign with a private CA, which can run arbitrarily long for most operating systems if I am not mistaken and 825 days for Mac OS.
Digicert (for example) write on the subject (https://www.digicert.com/blog/tls-certificate-lifetimes-will-officially-reduce-to-47-days):
QuoteAs a certificate authority, one of the most common questions we hear from customers is whether they'll be charged more to replace certificates more frequently. The answer is no. Cost is based on an annual subscription, and what we've learned is that, once users adopt automation, they often voluntarily move to more rapid certificate replacement cycles.
For this reason, and because even the 2027 changes to 100-day certificates will make manual procedures untenable, we expect rapid adoption of automation long before the 2029 changes.
Oh, very good to know! Thanks for the reply and context; I hadn't read deeper into the context except that initial post from LetsEncrypt.
My original question about being able to edit certificates in-place on OPNsense still stands, though.
We already automate our certificate rotation across our fleet using a wildcard certificate from LE, so we're poised well for that.
It would just be nice to have a way to quickly update a certificate's contents in OPNsense without leveraging the API.