diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml
index f6d6a82db..f7ab3d93a 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml
@@ -44,6 +44,12 @@
dropdown
+
+ certificate.ocsp
+
+ checkbox
+ Generate and add OCSP Must Staple extension to the certificate.
+ certificate.restartActions
diff --git a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
index 4ee6b1ff5..f3a6dd373 100644
--- a/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
+++ b/security/acme-client/src/opnsense/mvc/app/models/OPNsense/AcmeClient/AcmeClient.xml
@@ -214,6 +214,10 @@
ec-384
+
+ 0
+ N
+
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
index e3d94cdae..509a6e5d7 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
@@ -809,6 +809,11 @@ function run_acme_validation($certObj, $valObj, $acctObj)
$key_length = substr_replace($key_length, '-', 2, 0);
}
+ // if OCSP Extension is turned on pass --ocsp parameter to acme client
+ if (isset($certObj->ocsp)) {
+ $acme_args[] = "--ocsp";
+ }
+
// Run acme client
// NOTE: We "export" certificates to our own directory, so we don't have to deal
// with domain names in filesystem, but instead can use the ID of our certObj.