Node cert questions

[Afox]

Hello,

I have several questions regarding the certificate of a node:

• Is there a reason why by default the certificate length is only 2048 bits?
• Can I increase that length somehow and regenerate the cert?
• Would it be possible to implement a possibility to create a csr from the GUI so that the plain key is not sent through the network/internet?

Thanks in advance for any answer.

Best regards,

Afox

 

[fabian]

Hello,

I have several questions regarding the certificate of a node:

• Is there a reason why by default the certificate length is only 2048 bits?

could probably be bumped to 4096 nowadays (note that you can provide your own key and PVE will happily use that)

• Can I increase that length somehow and regenerate the cert?

replace the key (openssl genrsa -out /etc/pve/local/pve-ssl.key 4096) and re-generate the certificate (pvecm updatecerts -f). verify with pvenode cert info.

• Would it be possible to implement a possibility to create a csr from the GUI so that the plain key is not sent through the network/internet?

yes, but nobody requested that so far. honestly at this point, if you want that I'd just use let's encrypt (or another ACME compatible CA, you can also run your own!).

 

[Afox]

Thank you. How can I reload the GUI after recreation so that it uses the new cert?

nobody requested that so far

I just realized I created a request for this in 2018 and it has the status "ASSIGNED"
https://bugzilla.proxmox.com/show_bug.cgi?id=1782

 

[fabian]

Thank you. How can I reload the GUI after recreation so that it uses the new cert?

systemctl reload pveproxy

I just realized I created a request for this in 2018 and it has the status "ASSIGNED"
https://bugzilla.proxmox.com/show_bug.cgi?id=1782

fair enough I have to admit I did not actually check - seems I missed that one when it was initially filed.