From: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Date: Fri, 15 Apr 2016 11:16:03 +0000 (+0200)
Subject: Add section about pveproxy certificates
X-Git-Url: https://git.proxmox.com/?p=pve-docs.git;a=commitdiff_plain;h=98a741e0cfa7fc6f01f26a0a26a1dfcb12e0a153;hp=166e63d688e4a5f1d7da9ad913a36e09c74ed652

Add section about pveproxy certificates
---

diff --git a/pveproxy.adoc b/pveproxy.adoc
index ca32089..f7111a1 100644
--- a/pveproxy.adoc
+++ b/pveproxy.adoc
@@ -86,6 +86,23 @@ used.
 NOTE: DH parameters are only used if a cipher suite utilizing the DH key
 exchange algorithm is negotiated.
 
+Alternative HTTPS certificate
+-----------------------------
+
+By default, pveproxy uses the certificate '/etc/pve/local/pve-ssl.pem'
+(and private key '/etc/pve/local/pve-ssl.key') for HTTPS connections.
+This certificate is signed by the cluster CA certificate, and therefor
+not trusted by browsers and operating systems by default.
+
+In order to use a different certificate and private key for HTTPS,
+store the server certificate and any needed intermediate / CA
+certificates in PEM format in the file '/etc/pve/local/pveproxy-ssl.pem'
+and the associated private key in PEM format without a password in the
+file '/etc/pve/local/pveproxy-ssl.key'.
+
+WARNING: Do not replace the automatically generated node certificate
+files in '/etc/pve/local/pve-ssl.pem'/'etc/pve/local/pve-ssl.key' or
+the cluster CA files in '/etc/pve/pve-root-ca.pem'/'/etc/pve/priv/pve-root-ca.key'.
 
 ifdef::manvolnum[]
 include::pve-copyright.adoc[]