Certificate settings

[j-chmielewski]

Implements #2196.

• Certificates settings tab
• CA cert settings section
• Core/Edge settings section

[Copilot]

Pull request overview

Adds end-user “Certificate settings” functionality by introducing new Settings pages/wizards in the web UI and refactoring backend certificate-management endpoints (core/proxy) to support internal/external URL SSL configuration, CA/certs introspection, and live core web server TLS reloads.

Changes:

• Web UI: add Certificates settings tab, CA details page, certificates overview page, and core/edge certificate wizards.
• API: replace legacy cert upload/self-signed endpoints with internal/external URL settings endpoints plus /core/cert/ca and /core/cert/certs.
• Backend/runtime: implement core web server reload on TLS updates; add proxy control message to clear HTTPS certs.

Reviewed changes

Copilot reviewed 58 out of 60 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
web/src/shared/components/certificates/InternalSslResult/InternalSslResult.tsx	New reusable UI component for internal SSL result rendering.
web/src/shared/api/types.ts	Adds certificate-related API types and cert source enums.
web/src/shared/api/api.ts	Wires new core/proxy cert endpoints into the web client.
web/src/routeTree.gen.ts	Adds routes for new settings pages and certificate wizards.
web/src/routes/_authorized/_wizard/settings-edge-certificate.tsx	Route entry for Edge certificate wizard.
web/src/routes/_authorized/_wizard/settings-core-certificate.tsx	Route entry for Core certificate wizard.
web/src/routes/_authorized/_default/settings/certs.tsx	Route entry for certificates overview settings page.
web/src/routes/_authorized/_default/settings/ca.tsx	Route entry for CA settings page.
web/src/pages/SetupPage/initial/steps/SetupInternalUrlSslConfigStep.tsx	Refactors to use InternalSslResult and updates Divider import.
web/src/pages/SetupPage/autoAdoption/steps/AutoAdoptionInternalUrlSslConfigStep.tsx	Refactors to use InternalSslResult and updates Divider import.
web/src/pages/SettingsEdgeCertificateWizardPage/useSettingsEdgeCertificateWizardStore.ts	Adds zustand store for Edge cert wizard flow.
web/src/pages/SettingsEdgeCertificateWizardPage/types.ts	Defines step IDs for Edge cert wizard.
web/src/pages/SettingsEdgeCertificateWizardPage/style.scss	Adds styles for Edge cert wizard summary card.
web/src/pages/SettingsEdgeCertificateWizardPage/steps/SettingsEdgeCertificateWizardSummaryStep.tsx	Summary step that invalidates cert queries and routes back.
web/src/pages/SettingsEdgeCertificateWizardPage/steps/SettingsEdgeCertificateWizardExternalUrlSslConfigStep.tsx	SSL config step including ACME SSE progress UI.
web/src/pages/SettingsEdgeCertificateWizardPage/steps/SettingsEdgeCertificateWizardExternalUrlSettingsStep.tsx	External URL SSL selection + optional cert/key upload.
web/src/pages/SettingsEdgeCertificateWizardPage/SettingsEdgeCertificateWizardPage.tsx	Wizard container wiring steps + close behavior.
web/src/pages/SettingsCoreCertificateWizardPage/useSettingsCoreCertificateWizardStore.ts	Adds zustand store for Core cert wizard flow.
web/src/pages/SettingsCoreCertificateWizardPage/types.ts	Defines step IDs for Core cert wizard.
web/src/pages/SettingsCoreCertificateWizardPage/style.scss	Adds styles for Core cert wizard summary card.
web/src/pages/SettingsCoreCertificateWizardPage/steps/SettingsCoreCertificateWizardSummaryStep.tsx	Summary step invalidating cert queries and routing back.
web/src/pages/SettingsCoreCertificateWizardPage/steps/SettingsCoreCertificateWizardInternalUrlSslConfigStep.tsx	Internal SSL config step using InternalSslResult.
web/src/pages/SettingsCoreCertificateWizardPage/steps/SettingsCoreCertificateWizardInternalUrlSettingsStep.tsx	Internal URL SSL selection + optional cert/key upload.
web/src/pages/SettingsCoreCertificateWizardPage/SettingsCoreCertificateWizardPage.tsx	Wizard container wiring steps + close behavior.
web/src/pages/settings/SettingsIndexPage/useCertificatesWarningState.ts	Adds expiry-based warning state (badge + icon) for certificates.
web/src/pages/settings/SettingsIndexPage/types.ts	Adds certs tab to settings tab schema.
web/src/pages/settings/SettingsIndexPage/tabs/SettingsCertificatesTab/SettingsCertificatesTab.tsx	New Certificates tab with links to CA and certs pages.
web/src/pages/settings/SettingsIndexPage/SettingsIndexPage.tsx	Adds Certificates tab and decorates it with warning icon/colors.
web/src/pages/settings/SettingsCertificatesPage/style.scss	Styles for certificates overview page elements.
web/src/pages/settings/SettingsCertificatesPage/SettingsCertificatesPage.tsx	New certificates overview page with core/edge sections and actions.
web/src/pages/settings/SettingsCaPage/style.scss	Styles for CA information layout.
web/src/pages/settings/SettingsCaPage/SettingsCaPage.tsx	New CA details page (email, expiry, download).
web/src/pages/settings/SettingsCaPage/assets/ca.png	Adds CA illustration asset.
web/src/pages/MigrationWizardPage/steps/MigrationWizardInternalUrlSslConfigStep.tsx	Refactors to use InternalSslResult and updates Divider import.
web/messages/en/settings.json	Adds i18n strings for certificates pages/wizards/tab.
web/messages/en/initial_wizard.json	Fixes port text for internal/external SSL wizard messages.
crates/defguard/src/main.rs	Wires new web_reload_tx into core webapp setup.
crates/defguard_setup/tests/auto_wizard_url_settings.rs	Updates expected behavior for LetsEncrypt “validate only” semantics.
crates/defguard_setup/src/migration.rs	Wires new web_reload_tx into migration webapp setup.
crates/defguard_setup/src/handlers/initial_wizard.rs	Reformats CA response JSON payload.
crates/defguard_setup/src/handlers/auto_wizard.rs	Refactors SSL setting logic to reuse defguard_core::cert_settings.
crates/defguard_proxy_manager/src/lib.rs	Adds handling for ClearHttpsCerts broadcast to proxies.
crates/defguard_core/tests/integration/api/proxy_certs.rs	Reworks proxy cert tests around new settings endpoints and clear/broadcast semantics.
crates/defguard_core/tests/integration/api/core_certs.rs	Reworks core cert tests around new internal URL settings endpoint.
crates/defguard_core/tests/integration/api/common/mod.rs	Adds shared test helper for generating cert/key PEM pairs.
crates/defguard_core/src/lib.rs	Registers new routes and implements core web server reload loop for TLS changes.
crates/defguard_core/src/handlers/proxy.rs	Removes legacy proxy cert endpoints from proxy handler module.
crates/defguard_core/src/handlers/mod.rs	Makes core_certs module public.
crates/defguard_core/src/handlers/core_certs.rs	Adds new core/proxy cert handlers for URL settings + CA/certs introspection.
crates/defguard_core/src/handlers/component_setup.rs	Updates ACME flow to infer hostname from public_proxy_url and persist expiry.
crates/defguard_core/src/enterprise/firewall/tests/mod.rs	Import cleanup (SupportType path).
crates/defguard_core/src/cert_settings.rs	New shared cert settings logic (validation, CA-signed issuance, persistence).
crates/defguard_core/src/appstate.rs	Adds web_reload_tx to app state.
crates/defguard_core/Cargo.toml	Adds rustls dependency for cert/key validation.
crates/defguard_common/src/types/proxy.rs	Adds ClearHttpsCerts control message variant.
crates/defguard_certs/src/lib.rs	Adds parsing of subject email from SAN and improves test accordingly.
Cargo.lock	Lockfile update for new dependency usage.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.