diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
index 6508bbe11..e6ed0b2c8 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
@@ -64,6 +64,13 @@
To import additional certificates, go to Certificate Manager.]]>Type certificate name or choose from list.
+
+ frontend.ssl_default_certificate
+
+ dropdown
+ NOTE: This parameter is optional to enforce a certain sort order for certificates. The certificate itself must still be listed under "Certificates".]]>
+ true
+ frontend.ssl_customOptions
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index b96f80ae2..3f71ce11d 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -282,6 +282,11 @@
YPlease select a valid certificate from the list.
+
+ N
+ N
+ Please select a valid certificate from the list.
+ N
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index f22de296f..4b2946f20 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -551,8 +551,17 @@ frontend {{frontend.name}}
{% if frontend.ssl_enabled == '1' %}
{# # collect ssl certs (if configured) #}
{% if frontend.ssl_certificates|default("") != "" %}
+{# # check if a default certificate is configured #}
+{% if frontend.ssl_default_certificate|default("") != "" %}
+{% do ssl_certs.append('crt /var/etc/haproxy/ssl/' ~ frontend.ssl_default_certificate ~ '.pem') %}
+{% endif %}
{% for cert in frontend.ssl_certificates.split(",") %}
-{% do ssl_certs.append('crt /var/etc/haproxy/ssl/' ~ cert ~ '.pem') %}
+{# # skip default certificate, it was already added to the list #}
+{% if frontend.ssl_default_certificate|default("") != "" and cert == frontend.ssl_default_certificate %}
+{# # do nothing #}
+{% else %}
+{% do ssl_certs.append('crt /var/etc/haproxy/ssl/' ~ cert ~ '.pem') %}
+{% endif %}
{% endfor %}
{% endif %}
{# # advanced ssl options #}