pmg-ssl-certificate.adoc

   1 SSL certificate
   2 ---------------
   3
   4 Access to the administration web interface is always done via
   5 `https`. The default certificate is never valid for your browser and
   6 you get always warnings.
   7
   8 If you want to get rid of these warnings, you have to generate a valid
   9 certificate for your server.
  10
  11 Login to your Proxmox via ssh or use the console:
  12
  13 ----
  14 openssl req -newkey rsa:2048 -nodes -keyout key.pem -out req.pem
  15 ----
  16
  17 Follow the instructions on the screen, see this example:
  18
  19 ----
  20 Country Name (2 letter code) [AU]: AT
  21 State or Province Name (full name) [Some-State]:Vienna
  22 Locality Name (eg, city) []:Vienna
  23 Organization Name (eg, company) [Internet Widgits Pty Ltd]: Proxmox GmbH
  24 Organizational Unit Name (eg, section) []:Proxmox Mail Gateway
  25 Common Name (eg, YOUR name) []: yourproxmox.yourdomain.com
  26 Email Address []:support@yourdomain.com
  27
  28 Please enter the following 'extra' attributes to be sent with your certificate request
  29 A challenge password []: not necessary
  30 An optional company name []: not necessary
  31 ----
  32
  33 After you finished this certificate request you have to send the file
  34 `req.pem` to your Certification Authority (CA). The CA will issue the
  35 certificate (BASE64 encoded) based on your request – save this file as
  36 `cert.pem` to your Proxmox.
  37
  38 To activate the new certificate, do the following on your Proxmox:
  39
  40 ----
  41 cat key.pem cert.pem >/etc/pmg/pmg-api.pem
  42 ----
  43
  44 The restart the API servers
  45
  46 ----
  47 systemctl restart pmgproxy
  48 ----
  49
  50 Test your new certificate by using your browser.
  51
  52 NOTE: To transfer files from and to your Proxmox, you can use secure
  53 copy: If you desktop is Linux, you can use the `scp` command line
  54 tool. If your desktop PC is windows, please use a scp client like
  55 WinSCP (see http://winscp.net/).
  56
  57
  58 Change Certificate for Cluster Setups
  59 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  60
  61 If you change the API certificate of an active cluster node, you also
  62 need to update the fingerprint inside the cluster configuration file
  63 `cluster.conf`. It is best to edit that file on the master node.
  64
  65 To show the actual fingerprint use:
  66
  67 ----
  68 openssl x509 -in /etc/pmg/pmg-api.pem -noout -fingerprint -sha256
  69 ----