Hi Greg_E, yup, already have full ssh access to my pfsense box, I use this for custom config backups etc and for remote support (via ssh login with keys).
The config.xml file does contain a copy of the SSL certificate but on testing (by inserting random chars into the config entry) this did not affect the web frontend after restarting webconfig.
Looking at nginx’s config, it appears to use :
/var/etc/cert.crt
/var/etc/cert.key
for the https certificate, but editing this file doesn’t appear to make any differance and this file gets overridden on webconfig restart.
From reading through the webconfig restart script (and /etc/inc/system.inc file), the cert.crt & cert.key files are created from the config.xml contents, but if i insert a random char into the certificate entry in config.xml, this doesn’t seem to affect the webconfig! 
So I am at a loss as to how to push new certificates to my firewall 
sdfungi, yes there is an acme package for LetsEncrypt, but i already have a secured system that generates my certificates and manages all of my other servers, also I am reluctant to add something to my firewall that could potentially grant someone access to my DNS servers if they managed to hack my firewall (my SSL certificate box is totally locked down with no inbound access at all, requires physical access to get a terminal and uses ssh outbound only to push certs out.
Thanks