Node cert questions

A

Afox

Renowned Member
Dec 18, 2014
257
12
83
Hello,

I have several questions regarding the certificate of a node:
  • Is there a reason why by default the certificate length is only 2048 bits?
  • Can I increase that length somehow and regenerate the cert?
  • Would it be possible to implement a possibility to create a csr from the GUI so that the plain key is not sent through the network/internet?
Thanks in advance for any answer.

Best regards,

Afox
 
Afox said:
Hello,

I have several questions regarding the certificate of a node:
  • Is there a reason why by default the certificate length is only 2048 bits?
Click to expand...
could probably be bumped to 4096 nowadays (note that you can provide your own key and PVE will happily use that)
Afox said:
  • Can I increase that length somehow and regenerate the cert?
Click to expand...
replace the key (openssl genrsa -out /etc/pve/local/pve-ssl.key 4096) and re-generate the certificate (pvecm updatecerts -f). verify with pvenode cert info.
Afox said:
  • Would it be possible to implement a possibility to create a csr from the GUI so that the plain key is not sent through the network/internet?
Click to expand...
yes, but nobody requested that so far. honestly at this point, if you want that I'd just use let's encrypt (or another ACME compatible CA, you can also run your own!).
 
  • Like
Reactions: Afox
OK, it's now 2024 and it appears that the default key length has been bumped to 4096. I'm using the auto Let's Encrypt with Cloudflare DNS plug-in. Is there some easy way to shorten to 2048? I want to push the certificate to an older switch with a 2048 limit. I could put stuff behind a reverse proxy, but I'd prefer to use native SSL support when available. I tried to replace the key as described above, but it's overwritten.
 
nmpu said:
OK, it's now 2024 and it appears that the default key length has been bumped to 4096. I'm using the auto Let's Encrypt with Cloudflare DNS plug-in. Is there some easy way to shorten to 2048? I want to push the certificate to an older switch with a 2048 limit. I could put stuff behind a reverse proxy, but I'd prefer to use native SSL support when available. I tried to replace the key as described above, but it's overwritten.
Click to expand...
the ACME integration is meant to provide the PVE node itself with a certificate. it's not meant as a generic ACME client for other systems, please don't (ab)use it like that (there's plenty of generic ACME clients out there that give you that kind of control, including the one we re-use the DNS plugins from - acme.sh).
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom