I'm wondering if Plesk also will implent HTTP Strict Transport (or HSTS) Security in the GUI. It's an extra layer of security for sites who need to be extra secure.

It's being done with a special header (mod_headers for Apache) and a TLS connection. The client (browser) can then verify if the server is the real server and not a man-in-the-middle server/attack.

It's as simple as adding the following code to the vhost config (HTTPS only!):

Apache:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Nginx:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

SSL Certificate changes are currently not logged in Action Log in any way. Such changes should be logged as they are part of hosting settings.
Yet, they should reflect the certificate details (e.g. "Certificate A was changed to certificate B").

If you have a .pfx file containing Certificate, Private Key and CA certificate, allow to upload that container with one step.

This way, a customer doesnt have to use tools like openssl to extract and convert the certificate themselves.

.pfx is the preferred format on windows plattforms ,e.g. when you export a certificate from another IIS-based server.

Currently, to install a manual certificate:

1. Copy private key, paste private key, update Cert and CA
2. Go to Web Settings, change certificate to new one

Proposed process:

1. Select "Add Certificate" option next to the certificate
2. Private key automatically reused (perhaps read-only or hidden by default)
3. Name, Insert/Upload Certificate and CA
4. Show a "Replace certificate" option, that will update the domains that used the original certificate.