Hi Meg - I'm also having this issue. The documentation here: (https://docs.opnsense.org/manual/how-tos/self-signed-chain.html) does not match the UI in 24.7. The only method options in Trust/Authorities is "Import," "Create Internal," and "OCSP."There is a method option in Trust/Certificates called "Certificate Authority," but I wasn't actually able to use it to sign other certs.I tried signing one CA with another CA to use as an Intermediate, but I receive an "UNKNOWN_ISSUER" error, even when the Root-CA is trusted on-browser. The chain of trust ends at the Intermediate CA -- it's the only BEGIN CERTIFICATE block on the cert.
The file should contain one or more OpenSSL style BEGIN CERTIFICATE blocks for the server certificate and the intermediate certificate authorities.The private key must be contained in a separate file with the same name as the certificate, but with a .key suffix instead. The key must not be encrypted.
cat Domain-intCA.crt >> server.crt## This adds the Internal Certificate's BEGIN CERTIFICATE block to the server.crt's chain, allowing it to be verified