`/etc/pve/local/pve-ssl.key` or the cluster CA files in
`/etc/pve/pve-root-ca.pem` and `/etc/pve/priv/pve-root-ca.key`.
+[[sysadmin_certs_upload_custom]]
+Upload Custom Certificate
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If you already have a certificate which you want to use for a {pve} node you
+can upload that certificate simply over the web interface.
+
+[thumbnail="screenshot/gui-node-certs-upload-custom.png"]
+
+Note that the certificates key file, if provided, mustn't be password
+protected.
[[sysadmin_certs_get_trusted_acme_cert]]
Trusted certificates via Let's Encrypt (ACME)
[[sysadmin_certs_acme_account]]
ACME Account
^^^^^^^^^^^^
+
+[thumbnail="screenshot/gui-datacenter-acme-register-account.png"]
+
You need to register an ACME account per cluster with the endpoint you want to
use. The email address used for that account will server as contact point for
renewal-due or similar notifications from the ACME endpoint.
-// TODO: screenshot of account register here
-
You can register and deactivate ACME accounts over the web interface
`Datacenter -> ACME` or using the `pvenode` command line tool.
----
That challenge provides also a certain value, but not over a text file, but
through a DNS record on the authority name server of the domain.
+[thumbnail="screenshot/gui-datacenter-acme-overview.png"]
+
{pve} supports both of those challenge types out of the box, you can configure
plugins either over the web interface under `Datacenter -> ACME`, or using the
`pvenode acme plugin add` command.
ACME Plugin configurations are stored in `/etc/pve/priv/acme/plugins.cfg`.
+A plugin is available for all nodes in the cluster.
+
+Node Domains
+^^^^^^^^^^^^
+
+Each domain is node specific. You can add new or manage existing domain entries
+under `Node -> Certificates`, or using the `pvenode config` command.
+
+[thumbnail="screenshot/gui-node-certs-add-domain.png"]
+
+After configuring the desired domain(s) for a node and ensuring that the
+desired ACME account is selected, you can order your new certificate over the
+web-interface. On success the interface will reload after 10 seconds.
+
+Renewal will happen xref:sysadmin_certs_acme_automatic_renewal[automatically].
[[sysadmin_certs_acme_http_challenge]]
ACME HTTP Challenge Plugin
The easiest way to configure a new plugin with the DNS API is using the web
interface (`Datacenter -> ACME`).
+[thumbnail="screenshot/gui-datacenter-acme-add-dns-plugin.png"]
+
Choose `DNS` as challenge type. Then you can select your API provider, enter
the credential data to access your account over their API.
If a node has been successfully configured with an ACME-provided certificate
(either via pvenode or via the GUI), the certificate will be automatically
-renewed by the pve-daily-update.service. Currently, renewal will be attempted
+renewed by the `pve-daily-update.service`. Currently, renewal will be attempted
if the certificate has expired already, or will expire in the next 30 days.