[pve-devel] Changing SSL Certificates
Kurt Smolderen
kurt.smolderen at ua.ac.be
Mon Oct 8 09:44:01 CEST 2012
On 08-10-12 06:57, Dietmar Maurer wrote:
>> I want to change my SSL certificates for valid one.
>> I've changed the SSL certificates in apache, without any problem.
> How did you change that? You need to replace the files
>
> /etc/pve/local/pve-ssl.pem
> /etc/pve/local/pve-ssl.key
>
> Those files are normally auto-generated with the cluster wide CA:
>
> /etc/pve/priv/ pve-root-ca.key
> /etc/pve/ pve-root-ca.pem
The problem here is that you also need to change the pve-root-ca.pem
certificate by one which also allows certificate signing. These
certificates tend to be quite expensive. If you don't do this, you won't
be able to add new nodes to your cluster, do you? Or can you manually
add the certificates for each node as long as they are signed by the
same root certificate?
In our cluster setup, we've replaced the certificates in the apache
configuration to a signed ones and left the certificates in
/etc/pve/local untouched (the signed ones are locate in /etc/ssl/certs).
THe only caveat we encountered was when you also changed the domain name
of the proxmox host: the certificates generated by proxmox contains the
server name as CN and the fully qualified domain name as Alternate DN.
So changing one of these makes your certificates invalid. You should run
"pvecm updatecerts -force" on each of your systems and I think reboot
you host (or restart the necessary services).
Regards,
Kurt
More information about the pve-devel
mailing list