Add section about pveproxy certificates

diff --git a/pveproxy.adoc b/pveproxy.adoc
index ca320893e970cb2ad423f2f2aee56364b4214945..f7111a1256febcb5d5b7bc82836fead2c39972dc 100644 (file)
--- a/pveproxy.adoc
+++ b/pveproxy.adoc
@@ -86,6 +86,23 @@ used.
 NOTE: DH parameters are only used if a cipher suite utilizing the DH key
 exchange algorithm is negotiated.
 
 NOTE: DH parameters are only used if a cipher suite utilizing the DH key
 exchange algorithm is negotiated.
 

+Alternative HTTPS certificate
+-----------------------------
+
+By default, pveproxy uses the certificate '/etc/pve/local/pve-ssl.pem'
+(and private key '/etc/pve/local/pve-ssl.key') for HTTPS connections.
+This certificate is signed by the cluster CA certificate, and therefor
+not trusted by browsers and operating systems by default.
+
+In order to use a different certificate and private key for HTTPS,
+store the server certificate and any needed intermediate / CA
+certificates in PEM format in the file '/etc/pve/local/pveproxy-ssl.pem'
+and the associated private key in PEM format without a password in the
+file '/etc/pve/local/pveproxy-ssl.key'.
+
+WARNING: Do not replace the automatically generated node certificate
+files in '/etc/pve/local/pve-ssl.pem'/'etc/pve/local/pve-ssl.key' or
+the cluster CA files in '/etc/pve/pve-root-ca.pem'/'/etc/pve/priv/pve-root-ca.key'.

 
 ifdef::manvolnum[]
 include::pve-copyright.adoc[]
 
 ifdef::manvolnum[]
 include::pve-copyright.adoc[]