Proxmox Install SSL/TLS Certificates

Aug 3, 2022 · 2 mins read
virtualization proxmox hypervisor home lab ssl/tls
Proxmox Install SSL/TLS Certificates

In the video below, we show you how to install a signed SSL/TLS certificate in Proxmox

We show how to create the private key, certificate server request and signed certificate using OpenSSL

Then cover how you can install the key and certificate through the GUI on a standalone server

Because a cluster replicates information among servers, we show a different method so that you can install private keys and certificates for these as well

Steps Taken Using OpenSSL

Login to the Root CA then change to the ca folder
cd ca

  1. Create the private key
    openssl genrsa -out private/pvenode1.key 2048

  2. Create a configuration file
    nano csr/pvenode1-csr.conf

    [ req ]
    # ‘man req’
    # Used by the req command
    default_bits = 2048
    distinguished_name = req_distinguished_name
    req_extensions = req_ext
    prompt = no

    [ req_distinguished_name ]
    # Certificate signing request
    countryName = GB
    stateOrProvinceName = England
    organizationName = TempLab
    commonName = pvenode1.templab.lan

    [ req_ext ]
    subjectAltName = @alt_names

    [ alt_names ]
    DNS.1 = pvenode1.templab.lan

  3. Generate the certificate signing request (CSR)
    openssl req -new -key private/pvenode1.key -sha256 -out csr/pvenode1.csr -config csr/pvenode1-csr.conf

  4. Create signed certificate
    openssl ca -config root-ca.conf -notext -in csr/pvenode1.csr -out certs/pvenode1.crt -extensions req_ext -extfile csr/pvenode1-csr.conf

  5. Upload the key and certificate
    In the GUI this is relatively simple if you use SFTP for instance
    For a cluster, we’ll replace the existing files
    Connect to a PVE server and navigate to /etc/pve/nodes
    Replicate the folder structure on the local computer e.g.
     pve-node1
     pve-node2
     pve-node3
    Copy the private keys and certificates to the correct local folder and rename them
     pve-ssl.key
     pve-ssl.pem
    Backup the existing files in the server folders on the server e.g. rename them
    Copy the folders from the local computer to the server to copy the signed certificates and new private keys across
    SSH into the server and restart the service
     systemctl restart pveproxy
    Check the new certificate is accepted, if so restart the service on the other servers and check they are working as well

Sharing is caring!