diff --git a/src/etc/rc.d/captiveportal b/src/etc/rc.d/captiveportal
index 806a5b3f9..fd705ac4d 100755
--- a/src/etc/rc.d/captiveportal
+++ b/src/etc/rc.d/captiveportal
@@ -57,12 +57,18 @@ captiveportal_start()
         echo "Starting API dispatcher"
         /usr/local/sbin/lighttpd -f /var/etc/lighttpd-api-dispatcher.conf
 
+        # generate ssl certificates
+        /usr/local/opnsense/scripts/OPNsense/CaptivePortal/generate_certs.php
+
         # startup / bootstrap zones
         for zoneid in $CPZONES
         do
             # bootstrap captiveportal jail
             zonedirname="zone$zoneid"
             echo "Install : zone $zoneid"
+            if [ ! -d $CPWORKDIR/$zonedirname ]; then
+                mkdir $CPWORKDIR/$zonedirname
+            fi
             if [ -d $CPWORKDIR/$zonedirname/tmp ]; then
                 # remove temp (flush)
                 rm -rf $CPWORKDIR/$zonedirname/tmp
diff --git a/src/opnsense/scripts/OPNsense/CaptivePortal/generate_certs.php b/src/opnsense/scripts/OPNsense/CaptivePortal/generate_certs.php
new file mode 100755
index 000000000..16758d397
--- /dev/null
+++ b/src/opnsense/scripts/OPNsense/CaptivePortal/generate_certs.php
@@ -0,0 +1,68 @@
+#!/usr/local/bin/php
+<?php
+/**
+ *    Copyright (C) 2015 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+// use legacy code to generate certs and ca's
+// eventually we need to replace this.
+require_once("config.inc");
+require_once("certs.inc");
+require_once("legacy_bindings.inc");
+use OPNsense\Core\Config;
+global $config;
+
+// traverse captive portal zones
+$configObj = Config::getInstance()->object();
+if (isset($configObj->OPNsense->captiveportal->zones)) {
+    foreach ($configObj->OPNsense->captiveportal->zones->children() as $zone) {
+        $cert_refid = (string)$zone->certificate;
+        $zone_id = (string)$zone->zoneid;
+        // if the zone has a certificate attached, search for its contents
+        if ($cert_refid != "") {
+            foreach ($configObj->cert as $cert) {
+                if ($cert_refid == (string)$cert->refid) {
+                    // generate cert pem file
+                    $pem_content = str_replace("\n\n", "\n", str_replace("\r", "", base64_decode((string)$cert->crt)));
+                    $pem_content .= str_replace("\n\n", "\n", str_replace("\r", "", base64_decode((string)$cert->prv)));
+                    $output_pem_filename = "/var/etc/cert-cp-zone" . $zone_id . ".pem" ;
+                    file_put_contents($output_pem_filename, $pem_content);
+                    chmod($output_pem_filename, 0600);
+                    echo "certificate generated " .$output_pem_filename . "\n";
+                    // generate ca pem file
+                    if (!empty($cert->caref)) {
+                        $output_pem_filename = "/var/etc/ca-cp-zone" . $zone_id . ".pem" ;
+                        $ca = str_replace("\n\n", "\n", str_replace("\r", "", ca_chain($cert)));
+                        file_put_contents($output_pem_filename, $pem_content);
+                        chmod($output_pem_filename, 0600);
+                        echo "certificate generated " .$output_pem_filename  ."\n";
+                    }
+                }
+            }
+        }
+    }
+}