diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Trust/Api/CertController.php b/src/opnsense/mvc/app/controllers/OPNsense/Trust/Api/CertController.php
index e196e369f..567039d0d 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/Trust/Api/CertController.php
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Trust/Api/CertController.php
@@ -42,6 +42,11 @@ class CertController extends ApiMutableModelControllerBase
     protected static $internalModelName = 'cert';
     protected static $internalModelClass = 'OPNsense\Trust\Cert';
 
+    /**
+     * @var private key data when not stored locally
+     */
+    private $response_priv_key = null;
+
 
     protected function setBaseHook($node)
     {
@@ -69,6 +74,7 @@ class CertController extends ApiMutableModelControllerBase
                     if ((string)$node->private_key_location == 'local') {
                         /* return only in volatile storage */
                         $node->prv_payload = $data['prv'];
+                        $this->response_priv_key = $data['prv'];
                     } else {
                         $node->prv= base64_encode($data['prv']);
                     }
@@ -152,7 +158,11 @@ class CertController extends ApiMutableModelControllerBase
     }
     public function addAction()
     {
-        return $this->addBase('cert', 'cert');
+        $response = $this->addBase('cert', 'cert');
+        if ($response['result'] == 'saved' && !empty($this->response_priv_key)) {
+            $response['private_key'] = $this->response_priv_key;
+        }
+        return $response;
     }
     public function setAction($uuid = null)
     {
diff --git a/src/opnsense/mvc/app/views/OPNsense/Trust/cert.volt b/src/opnsense/mvc/app/views/OPNsense/Trust/cert.volt
index a07f62021..b3b3f6cf9 100644
--- a/src/opnsense/mvc/app/views/OPNsense/Trust/cert.volt
+++ b/src/opnsense/mvc/app/views/OPNsense/Trust/cert.volt
@@ -27,6 +27,20 @@
    <script>
        'use strict';
 
+       function download_content(payload, filename, file_type) {
+            let a_tag = $('<a></a>').attr('href','data:application/json;charset=utf8,' + encodeURIComponent(payload))
+                .attr('download', filename).appendTo('body');
+
+            a_tag.ready(function() {
+                if ( window.navigator.msSaveOrOpenBlob && window.Blob ) {
+                    var blob = new Blob( [ payload ], { type: file_type } );
+                    navigator.msSaveOrOpenBlob( blob, 'aliases.json' );
+                } else {
+                    a_tag.get(0).click();
+                }
+            });
+       }
+
        $( document ).ready(function () {
            let grid_cert = $("#grid-cert").UIBootgrid({
                search:'/api/trust/cert/search/',
@@ -77,6 +91,14 @@
                     });
                 }
             });
+            /**
+             * register handler to download private key on save
+             */
+            $(document).ajaxComplete(function(event,request, settings){
+                if (settings.url.startsWith('/api/trust/cert/add') && request.responseJSON && request.responseJSON.private_key) {
+                    download_content(request.responseJSON.private_key, 'key.pem', 'application/octet-stream');
+                }
+            });
 
             $("#filter_container").detach().prependTo('#grid-cert-header > .row > .actionBar > .actions');
             $("#ca_filter").change(function(){