If you’re managing SSL/TLS on your OPNsense firewall, using the built-in ACME client plugin is a secure and automated way to issue and renew certificates from trusted CAs like Sectigo. In this guide, you’ll learn how to install an ACME certificate on OPNsense using the official plugin, configure your ACME account with EAB credentials, validate domain ownership, and automatically deploy certificates.

This method is ideal for those using OPNsense as a gateway, reverse proxy, or to secure services behind NAT. Let’s walk through each step.
What You’ll Need
Before you begin, make sure you have:
- Administrator access to the OPNsense web interface
- A valid domain name pointing to your OPNsense instance
- Port 80 open (for HTTP-01 validation)
- ACME credentials from your certificate provider:
- ACME Directory URL (e.g. https://acme.sectigo.com/v2/DV)
- EAB Key Identifier (KID) and HMAC Key
Step 1 – Install and Enable the ACME Plugin
- Log in to the OPNsense web interface.
- Navigate to System > Firmware > Plugins.
- Locate the plugin named os-acme-client.
- Click the + button next to it to install.
- After installation, refresh the interface (press F5).
- Go to Services > ACME Client > Settings and check Enable Plugin. Click Save.

This enables the ACME client backend and unlocks the configuration options.
Step 2 – Add an ACME Account
To connect OPNsense to your certificate authority, you’ll need to create an ACME account with External Account Binding (EAB).
- Go to Services > ACME Client > Accounts. Click + Add.
- Fill out the form:
- Account Name: Choose any descriptive name.
- Email Address: For expiry notices or errors.
- ACME CA: Select Custom CA URL.
- Custom CA URL: Paste your CA’s ACME directory URL (e.g., https://acme.sectigo.com/v2/DV)
- Key Identifier: Enter your EAB KID.
- HMAC Key: Enter your EAB HMAC Key.
- Click Save, then click Register to create the ACME account.

Ensure the KID and HMAC are copied exactly, without leading/trailing spaces.
Step 3 – Set Up a Validation Method (Challenge Type)
To prove domain ownership, ACME uses challenge types. For OPNsense, the most common is HTTP-01.
- Go to Services > ACME Client > Challenge Types. Click + Add.
- Choose HTTP-01 as the validation method. This requires port 80 to be accessible from the public internet.
- Save and apply the changes.

If your firewall blocks port 80 or you’re using DNS-based hosting, consider an alternative validation method (not supported natively in all versions).
Step 4 – Create and Issue the Certificate
Now that your account and validation method are ready:
- Go to Services > ACME Client > Certificates. Click + Add.
- Fill in the certificate settings:
- Domain Name: Enter your full domain (e.g., vpn.example.com)
- ACME Account: Select the account created in Step 2.
- Validation Method: Choose the HTTP-01 challenge you set in Step 3.
- Save and apply.

The ACME client will now attempt to validate your domain and issue the certificate.
Once complete, the certificate will be saved and available for system use, including Web GUI, HAProxy, OpenVPN, and other plugins.
Step 5 – Automate Renewal and Apply Certificates
After setup, certificates are automatically renewed before expiration.
You can assign the issued certificate to OPNsense services via System > Settings > Administration or individual plugin settings.
You can also manually trigger renewal under Services > ACME Client > Certificates by selecting your entry and clicking Issue/Renew.
Common Questions
Even with a working setup, managing ACME certificates in OPNsense can raise some practical concerns, especially around troubleshooting, applying certificates to services, or dealing with renewal issues. Here are answers to real problems users often run into after initial configuration:
How do I assign the certificate to services like OpenVPN or the Web UI?
Once the certificate is issued, go to System > Trust > Certificates, find your issued certificate, and click the edit icon. At the bottom, you’ll see a “Used by” section where you can assign it to the Web GUI, OpenVPN, IPsec, or other services.
Don’t forget to restart those services to employ the new certificate.
My certificate is issued, but doesn’t show as active—what’s wrong?
Ensure it’s selected in the Trust > Certificates panel and actively linked to the service you’re trying to secure. Issuance alone doesn’t auto-bind the cert—you must assign it manually to services like GUI or VPN.
Also, check if the domain name in your certificate matches the one configured in the service (especially for Web UI access).
Why is HTTP-01 the only supported method?
The OPNsense ACME client currently supports HTTP-01 validation out of the box. DNS-01 or other advanced options may require third-party scripts or external automation and are not supported natively.
Final Words
You’ve now learned how to install an ACME certificate on OPNsense using the built-in plugin and EAB credentials from a commercial CA. With automated renewal and simple integration with firewall services, this method keeps your system secure with minimal manual effort.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

