-By default, pveproxy uses the certificate '/etc/pve/local/pve-ssl.pem'
-(and private key '/etc/pve/local/pve-ssl.key') for HTTPS connections.
-This certificate is signed by the cluster CA certificate, and therefor
-not trusted by browsers and operating systems by default.
+You can change the certificate used to an external one or to one obtained via
+ACME.
+
+pveproxy uses `/etc/pve/local/pveproxy-ssl.pem` and
+`/etc/pve/local/pveproxy-ssl.key`, if present, and falls back to
+`/etc/pve/local/pve-ssl.pem` and `/etc/pve/local/pve-ssl.key`.
+The private key may not use a passphrase.
+
+See the Host System Administration chapter of the documentation for details.
+
+COMPRESSION
+-----------