diff --git a/packages/ns-api/files/ns.reverseproxy b/packages/ns-api/files/ns.reverseproxy
index f567b64b3..16afe6c72 100755
--- a/packages/ns-api/files/ns.reverseproxy
+++ b/packages/ns-api/files/ns.reverseproxy
@@ -281,11 +281,22 @@ elif cmd == 'call':
             if data['name'] not in valid_certificates:
                 raise ValidationError('name', 'invalid', data['name'])
 
+            old_ssl_certificate = e_uci.get("nginx", "_lan", "ssl_certificate")
+            old_ssl_certificate_key = e_uci.get("nginx", "_lan", "ssl_certificate_key")
+
             # set default certificate for _lan
             e_uci.set('nginx', '_lan', 'ssl_certificate', valid_certificates[data['name']]['cert_path'])
             e_uci.set('nginx', '_lan', 'ssl_certificate_key', valid_certificates[data['name']]['key_path'])
             e_uci.set('nginx', '_lan', 'uci_manage_ssl', 'custom')
 
+            for domain in e_uci.get('nginx', dtype=str, list=True):
+                if e_uci.get('nginx', domain) != 'server':
+                    continue
+                if e_uci.get('nginx', domain, 'ssl_certificate', default='') == old_ssl_certificate:
+                    e_uci.set('nginx', domain, 'ssl_certificate', valid_certificates[data['name']]['cert_path'])
+                if e_uci.get('nginx', domain, 'ssl_certificate_key', default='') == old_ssl_certificate_key:
+                    e_uci.set('nginx', domain, 'ssl_certificate_key', valid_certificates[data['name']]['key_path'])
+
             # submit changes
             e_uci.save('nginx')
 
diff --git a/packages/ns-flashstart/files/ns-flashstart b/packages/ns-flashstart/files/ns-flashstart
index 24d975343..ed0e06f8e 100644
--- a/packages/ns-flashstart/files/ns-flashstart
+++ b/packages/ns-flashstart/files/ns-flashstart
@@ -137,10 +137,8 @@ def __save(pending_changes: bool):
             if pending_dhcp:
                 subprocess.run(['ubus', 'call', 'uci', 'commit', json.dumps({'config': 'dhcp'})], check=True)
             if pending_firewall:
-                # reload the firewall if changes are there, this is done cause sets are not reloaded correctly after the
-                # commit this 100% needs to be fixed upstream.
-                e_uci.commit('firewall')
-                subprocess.run(['fw4', 'restart'], capture_output=True)
+                subprocess.run(['ubus', 'call', 'uci', 'commit', json.dumps({'config': 'firewall'})], check=True)
+                subprocess.run(['fw4', 'reload-sets'], capture_output=True)
 
 
 def __add_bypass_ipset():