PVE custom certificate with Windows CA no trust issues

U

unsichtbarre

Member
Oct 1, 2024
43
7
8
I would like to create a certificate for PVE with my domain Windows CA. I am having no luck getting the browser to accept it, still shows "not secure"

  1. Create key: openssl genrsa -out /etc/pve/nodes/pve101/pveproxy-ssl.key 2048
  2. Create CSR: openssl req -new -key /etc/pve/nodes/pve101/pveproxy-ssl.key -out /etc/pve/nodes/pve101/pveproxy-ssl.csr
  3. Submit to Windows Domain CA
  4. Download certificate
  5. Upload certificate to PVE
Not trusted by browser, all properties show correct. what am I missing?

THX,
-JB

1755708763328.png
 
AD certificates are only trusted if 1) the client which connects to PVE is a domain member, 2) the certificate has been issued by an AD certification authority and 3) the AD CA is being (forced) trusted by GPOs. You created a self-signed cert which won‘t be trusted.
 
  • Like
Reactions: unsichtbarre and uzumo
Thanks for the reply.
The client I'm using is in fact a domain member. Also the certificate was created from the CSR using the windows domain CA.
I'll have to further look at point 3 that you make to be sure that the windows / domain CA is trusted, however the AD web certificate services site resolves just fine without any certificate errors. Just the services that I create within which are not working correctly.

-JB
 
I have found my issue. The CSR was issued without any SAN using: openssl req -new -key /etc/pve/nodes/pve101/pveproxy-ssl.key -out /etc/pve/nodes/pve101/pveproxy-ssl.csr. It seems that browsers do not respect CN, only SAN

Recreated:
  1. openssl genrsa -out /etc/pve/nodes/pve101/pveproxy-ssl.key 2048
  2. Create *.cnf
  3. openssl req -new -key /etc/pve/nodes/pve101/pveproxy-ssl.key -out pve101.csr -config pve101.cnf
  4. Upload *.csr to windows CA (web)
  5. Download *.crt
  6. Upload *.crt to PVE
  7. Close and restart browser
  8. No warnings
*.cnf contents
Code: 
[ req ]
    default_bits = 2048
    prompt = no
    default_md = sha256
    req_extensions = req_ext
    distinguished_name = dn

    [ dn ]
    CN = pve101.lab.vmsources.com

    [ req_ext ]
    subjectAltName = @alt_names

    [ alt_names ]
    DNS.1 = pve101.lab.vmsources.com
 
Last edited:
  • Like
Reactions: cwt
You must log in or register to reply here.
Top Bottom