Proxmox SSL Certs

S

sircolin

Renowned Member
Nov 12, 2009
78
0
71
UK
hi every one i i have a ssl cert from comodo and would very much like to change the existing ssl cert on proxmox for the new one i wonder if somebody could point me in the right direction to get this done,

at the moment my mobile phone complains every time i login to 443

thanks

Col
 
Ok.. Thanks for the information :-)

I have myhostname.ca.bundle and myhostname.crt

The ca.bundle seems to have 3 keys in there and the .crt file has one im confused since you refer to
SSLCertificateFile /etc/pve/pve-ssl.pem
SSLCertificateKeyFile /etc/pve/pve-ssl.key

Do the files need renaming or does the conf need changing?
Sorry this is the first ssl cert i have ever installed

in the mean time i will do some reading on the syntax of http.conf

Col
 
It would the easiest method. Just make a copy of the current ones or rename. Thne copy in your public and private certs with the names Proxmox is already configured for.
 
Ok i have it working after 6 hours!

I added
SSLCertificateFile /etc/pve/dorris.berkscomputing.info.pem
Click to expand...
SSLCACertificateFile /etc/pve/dorris_berkscomputing_info.crt
Click to expand...
SSLCertificateChainFile /etc/pve/dorris_berkscomputing_info.ca-bundle
Click to expand...
to /etc/apache2/sites-enabled/pve.conf

As this was a Comodo Free 90 Day SSL cert they sent it in a zip which contained 2 files
dorris_berkscomputing_info.ca-bundle
Click to expand...
dorris_berkscomputing_info.crt
Click to expand...
I uploaded
dorris_berkscomputing_info.crt
and
dorris_berkscomputing_info.ca-bundle
to /etc/pve/
then
i made a new file called dorris.berkscomputing.info.pem
added my private key including
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,CAE3xxxxxxxxxxx698
Click to expand...
and on the very next line i copied the entire contents of the .crt file and saved the file

I issued
/etc/init.d/networking restart
Click to expand...
entered my pass-phase and bingo it's working.

i then double checked by visiting
http://www.digicert.com/help/
Click to expand...
I hope this saves someone 6 hours :-)

Col
 
Last edited:
Hi,
if you need more than 90-day free certificate you can also use certificates from cacert http://www.cacert.org/
For organisations, you can also use more than one admin to administrate the organisations-certificates.

But you have then install the class-1 (and class-3) cacert-certificates to your browser (but i think, that's no problem).

Udo
 
Thanks For the Tip Udo

But i fail to see how this could be helpful since when i browse to your link above i get a certificate error.

I guess anyone that would browse to a server of mine would have to add the ca to their browser clicking through the error i guess thats why you wrote

But you have then install the class-1 (and class-3) cacert-certificates to your browser
Click to expand...

Is my thinking correct on this ?? if so i guess i self cert would be just as good.

thank again

Col
 
sircolin said:
Thanks For the Tip Udo

But i fail to see how this could be helpful since when i browse to your link above i get a certificate error.

I guess anyone that would browse to a server of mine would have to add the ca to their browser clicking through the error i guess thats why you wrote



Is my thinking correct on this ?? if so i guess i self cert would be just as good.

thank again

Col
Click to expand...
Hi,
yes they aren't in the browers yet, but they work on this. If you distribute the account(s), you can give the info to install the certs.
And it's different to a self signed certificate - this can nobody control. Another advantage: cacert informs you before your certificate expires - so you don't need a own infrastructure to administrate your certificates... but this is a little bit OT.

Udo
 
Ah now i understand

I will have a good read through the site soon, but im just soooooo busy right now.

This may suit my needs for some of my private machines that just i use.
It's always good to support new project :-)

thanks for the heads up

Col
 
You must log in or register to reply here.
Top Bottom