From 98a741e0cfa7fc6f01f26a0a26a1dfcb12e0a153 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Fabian=20Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
Date: Fri, 15 Apr 2016 13:16:03 +0200
Subject: [PATCH] Add section about pveproxy certificates

---
 pveproxy.adoc | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/pveproxy.adoc b/pveproxy.adoc
index ca32089..f7111a1 100644
--- a/pveproxy.adoc
+++ b/pveproxy.adoc
@@ -86,6 +86,23 @@ used.
 NOTE: DH parameters are only used if a cipher suite utilizing the DH key
 exchange algorithm is negotiated.
 
+Alternative HTTPS certificate
+-----------------------------
+
+By default, pveproxy uses the certificate '/etc/pve/local/pve-ssl.pem'
+(and private key '/etc/pve/local/pve-ssl.key') for HTTPS connections.
+This certificate is signed by the cluster CA certificate, and therefor
+not trusted by browsers and operating systems by default.
+
+In order to use a different certificate and private key for HTTPS,
+store the server certificate and any needed intermediate / CA
+certificates in PEM format in the file '/etc/pve/local/pveproxy-ssl.pem'
+and the associated private key in PEM format without a password in the
+file '/etc/pve/local/pveproxy-ssl.key'.
+
+WARNING: Do not replace the automatically generated node certificate
+files in '/etc/pve/local/pve-ssl.pem'/'etc/pve/local/pve-ssl.key' or
+the cluster CA files in '/etc/pve/pve-root-ca.pem'/'/etc/pve/priv/pve-root-ca.key'.
 
 ifdef::manvolnum[]
 include::pve-copyright.adoc[]
-- 
2.39.2