pfSense

I initially submitted Feature #16561 which Jim Pingle Rejected because the PHP script I suggested is using outdated meothods of configuration manipulation, and suggested that a request for "official backend" (or GUI) support might be requested.

As you are no doubt aware, the Browser Consortium is cutting down the allowable lifetime for certificates. The current maximum lifetime is 398 days. By March 15, 2026 is will be down to 200 days, reducing in 2027 and 2029 until the allowable lifetime is only 47 days! Not going to debate the wisdom of this here. What this means for those of us maintaining keys and certificates for SSL (and VPN and...) is that we will need to post resigned certs every 46 days (to avoid expiring during the last day). I maintain my SG-5100 for strictly inside use, so cannot rely on Lets Encrypt and the ACME package; no outside Domain that can respond.

What is needed is a SUPPORTED method that does what the PHP script in the previous feature request does the following from the CLI:

1. Accepts a new (so hash on Cert should be used to ensure it is new) Cert/Key pair
2. Verifies the validity of the Cert/Key pair
3. Replaces the current default certificate for SSL use and also applies it to other services that use it (DHCP, DNS, VPNs...)
4. Deletes the replaced Cert/Key pair once all mappings to services have been set to the new cert/key
5. Returns status codes/messages that can be processed by scripts

THe idea is to have, in my case, Windows CMD/PowerShell scripts that use SCP to copy a script to make the requested calls and the cert/key pair, then launches the script and captures the status codes/messages (e.g. from a file where they are saved on the device).

This is sorely needed before the Certificate lifetimes for SSL/Browsers drop down... so that it can be implemented/tested.

Thanks!