[SOLVED] Custom SSL Certificate Upload error

L

LRA FFB

New Member
Proxmox Subscriber
Aug 7, 2025
6
1
3
Hey all,

I am trying to upload a custom certificate to our 3 Nodes. I have successfully uploaded custom certificates to the Datacenter Manager and the Proxmox Backup Server, but the PVE nodes keep telling me:
400 Parameter verification failed.
certificates: invalid format - not a valid PEM-formatted string.
I am using the same way as with the PDM and PBS.
Got the Private Key that starts with
-----BEGIN PRIVATE KEY-----
and ends with
-----END PRIVATE KEY-----
in the Private Key (Optional) field, and my full certificate chain in the Certificate Chain Field:
Starting with:
Bag Attributes
localKeyID
friendlyName
subject
issuer
-----BEGIN CERTIFICATE-----
The CI Cert is first, then the chain with empty bag attributes from our local CA

also tried some of the solutions i found in the forum already, but it does not work.
Get the same error via CLI
root@proxmox01:~$ pvenode cert set proxmox01.pem proxmox01-key.pem
400 Parameter verification failed.
certificates: invalid format - not a valid PEM-formatted string.


I hope you guys can help me.
 
Hi, what do you get if you issue the command
openssl x509 -in proxmox01.pem -noout -text
 
Onslow said:
Hi, what do you get if you issue the command
openssl x509 -in proxmox01.pem -noout -text
Click to expand...
Hi,
I am not sure if this output contains sensitive data, so i redacted a little bit, hope that still works

root@proxmox01:~# openssl x509 -in proxmox01.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:00:02:4d:84:76:d1:0c:f8:b1:ff:c6:48:[...]:02:4d:84
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC=de, DC=lra-ffb, DC=local, CN=Sub-CA-1
Validity
Not Before: Nov 7 11:19:14 2025 GMT
Not After : Nov 7 11:19:14 2027 GMT
Subject: CN=proxmox01
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
[REDACTED]
Exponent: 65537 (0x10001)
X509v3 extensions:
Microsoft certificate template:
0,.$+.....7....Y...e......-..2.....O......d...
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
Microsoft Application Policies Extension:
0.0
..+.......
X509v3 Subject Key Identifier:
FC:70:43:6A:8A:29:24:8B:E2:FE:80:[...]:91:CB:A2:0E:F4:63
X509v3 Subject Alternative Name:
DNS: proxmox01, DNS: proxmox01.local.lra-ffb.de
X509v3 Authority Key Identifier:
DD:CA:1B:85:53:E0:A0:27: D7:53:15[...]:E0:60:46:BA:7E:42
X509v3 CRL Distribution Points:
Full Name:
URI:ldap:///CN=Sub-CA-1,CN=PKISRV2,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=local,DC=lra-ffb,DC=de?certificateRevocationList?base?objectClass=cRLDistributionPoint

Authority Information Access:
CA Issuers - URI:ldap:///CN=Sub-CA-1,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=local,DC=lra-ffb,DC=de?cACertificate?base?objectClass=certificationAuthority
OCSP - URI:http://pkisrv3.local.lra-ffb.de/ocsp
Signature Algorithm: sha256WithRSAEncryption
Signature Value: [REDACTED]


(EDIT: removed the emojies and added a space to keep them away)
 
Last edited:
It could be better readable (and not displaying smileys) if you used CODE tags (these < / > from the menu above) - I'm writing it for future postings:).

I think I haven't run across fragments like
Microsoft certificate template:
0,.$+.....7....Y...e......-..2.....O......d...
in usual web certificates, but they may be quite OK as well, I don't know.

I'm afraid that without seeing all the files intact I'm not able to help. Of course I'm not suggesting you post them. Especially never share any private key.

What comes to my mind is the contents of the chain file... The command I posted above will not verify all of the certs in it. You would have to cut the file into particular certs. So without seeing it intact I can't check it.

But I think you can verify the files yourself using commands from
https://docs.acquia.com/acquia-cloud-platform/help/93661-verifying-validity-ssl-certificate

At least:

openssl rsa -inform PEM -in proxmox01-key.pem
openssl x509 -inform PEM -in proxmox01.pem

(the second command repeat for every cert cut from the chain)

openssl x509 -noout -modulus -in your_CN_cert.pem | openssl md5
openssl rsa -noout -modulus -in proxmox01-key.pem | openssl md5

openssl x509 -in your_CN_cert.pem -noout -pubkey
openssl rsa -in proxmox01-key.pem -pubout

Also, check the order of certs in the chain, as described in that page.

Edit: there is also "verify" subcommand.

https://unix.stackexchange.com/questions/16226/how-can-i-verify-ssl-certificates-on-the-command-line

openssl verify cert.pem

and:

"If your "ca-bundle" is a file containing additional intermediate certificates in PEM format:"

openssl verify -untrusted ca-bundle cert.pem

"If your openssl isn't set up to automatically use an installed set of root certificates (e.g. in /etc/ssl/certs), then you can use -CApath or -CAfile to specify the CA."

Hope that helps.
 
Last edited:
followed the steps in the first link without a problem.
however, the verify subcommand revealed this:

Code: 
root@proxmox01:~#  openssl verify proxmox01.pem
CN=proxmox01
error 20 at 0 depth lookup: unable to get local issuer certificate
error proxmox01.pem: verification failed
root@proxmox01:~#

Im gonna check back with my Colleagues and I will let you know the result.
 
Maybe the last tip from my post is useful in this situation:

you can use -CApath or -CAfile to specify the CA.
 
Hi,
sorry for the late resposne.

using the chain.pem with -CAfile works:
Code: 
root@proxmox01:~# openssl verify -CAfile chain.pem proxmox01.pem
proxmox01.pem: OK

when trying to import it into proxmox i tried it like that:
content of chain.pem
content of proxmox01.pem

after that dit not work, i tried
content of proxmox01.pem
content of chain.pem

same error across the board.
 
I have thought and compared various sources for almost an hour and my idea now is:
remove these introducing lines you mentioned here:

"and my full certificate chain in the Certificate Chain Field:
Starting with:
Bag Attributes
localKeyID
friendlyName
subject
issuer"

Maybe they confuse PVE somehow...

That is, let your certificate file start with
-----BEGIN CERTIFICATE-----

And let us know if it fixes your issue.
 
You must log in or register to reply here.
Top Bottom