diff --git a/icwmp/Makefile b/icwmp/Makefile
index 734191fe3..ee2d64a90 100755
--- a/icwmp/Makefile
+++ b/icwmp/Makefile
@@ -8,11 +8,11 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=icwmp
-PKG_VERSION:=8.4.1
+PKG_VERSION:=8.4.2
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/icwmp.git
-PKG_SOURCE_VERSION:=8e6bde511a8032a7ffb253e6c1323fc641c05b4c
+PKG_SOURCE_VERSION:=f7c42eaba6ec1ed83754f82815c6e98b5b693074
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 
diff --git a/icwmp/files/etc/init.d/icwmpd b/icwmp/files/etc/init.d/icwmpd
index 6cf8a4dd0..c7d07af99 100755
--- a/icwmp/files/etc/init.d/icwmpd
+++ b/icwmp/files/etc/init.d/icwmpd
@@ -106,7 +106,8 @@ validate_acs_section()
 		'compression:or("GZIP","Deflate","Disabled")' \
 		'retry_min_wait_interval:range(1, 65535)' \
 		'retry_interval_multiplier:range(1000, 65535)' \
-		'ipv6_enable:bool'
+		'ipv6_enable:bool' \
+		'ssl_capath:string'
 
 }
 
@@ -135,6 +136,7 @@ validate_cpe_section()
 }
 
 validate_defaults() {
+	local ssl_capath
 	config_load cwmp
 
 	validate_acs_section || {
@@ -142,6 +144,13 @@ validate_defaults() {
 		return 1;
 	}
 
+	# Put the cert pem file in keep list
+	if [ -f "${ssl_capth}" ]; then
+		if ! grep "${ssl_capath}" /lib/upgrade/keep.d/icwmp; then
+			echo "${ssl_capath}/*.pem" >> /lib/upgrade/keep.d/icwmp
+		fi
+	fi
+
 	[ -z "${url}" ] && [ -z "${dhcp_url}" ] && {
 		log "ACS url is empty can't start"
 		return 1;
diff --git a/icwmp/files/etc/uci-defaults/95-icwmp-generate-ssl b/icwmp/files/etc/uci-defaults/95-icwmp-generate-ssl
index e92b2d603..cb8f3c915 100644
--- a/icwmp/files/etc/uci-defaults/95-icwmp-generate-ssl
+++ b/icwmp/files/etc/uci-defaults/95-icwmp-generate-ssl
@@ -2,17 +2,37 @@
 
 . /lib/functions.sh
 
-regenerate_ssl_link(){
-	[ ! -d "/etc/ssl/certs" ] && return 0;
-	[ ! -f "/etc/ssl/certs/*.pem" ] && return 0;
+regenerate_ssl_link_path()
+{
+        local cert_dir all_file rehash
 
-	local cert_dir="/etc/ssl/certs"
-	local all_file=$(ls $cert_dir/*.pem)
+        cert_dir="${1}"
 
-	for cfile in $all_file
-	do
-		ln -s $cfile $cert_dir/$(openssl x509 -hash -noout -in $cfile).0
-	done
+        all_file=$(ls $cert_dir/*.pem 2>/dev/null)
+
+        [ ! -d "${cert_dir}" ] && return 0;
+        [ ! -f "${all_file}" ] && return 0;
+
+        for cfile in $all_file
+        do
+		rehash="$(openssl x509 -hash -noout -in $cfile)"
+		[ -f ${cert_dir}/${rehash}.0 ] || \
+			ln -s $cfile $cert_dir/${rehash}.0
+        done
+}
+
+regenerate_ssl_link()
+{
+        local cwmp_ca_path
+
+        regenerate_ssl_link_path "/etc/ssl/certs"
+
+        cwmp_ca_path=$(uci -q get cwmp.acs.ssl_capath)
+        if [[ "${cwmp_ca_path}" != "/etc/ssl/certs"* ]]; then
+                if [ -n "${cwmp_ca_path}" ]; then
+                        regenerate_ssl_link_path "${cwmp_ca_path}"
+                fi
+        fi
 }
 
 regenerate_ssl_link