Proxmox Certificates

When using proxmox, one would either like to use LetsEncrypt certificates or use the ones provided by a CA (e.g. in this Case the DFN (german research network). This enables to seamlessly use the SPICE protocol and avoid trusting self-signed certificates in the browser.

LetsEncrypt

The problem with letsencrypt ACME is that it expects the challenge to be at port 80, which is normally not used by Proxmox. To complete the ACME request for a Proxmox which is not publicly reachable, one can use a simple reverse proxy forwarding using a nginx reverse proxy listening for the server_name:

server {
    listen 80;
    server_name proxmox.host.example;
    location / {
        # proxmox opens port 80 for ACME
        proxy_pass http://proxmox-ip-address:80/;
    }
}

Thereby, one can simply add ACME auth and does not need to take care about old certificates anymore.

CA certificates

Having a .p12 certificate from the CA - we need to convert it to a PEM cert using: openssl pkcs12 -in cert-from-ca.p12 -out new-cert.pem -nodes which containes the unencrypted keys. Enter the Cert Passphrase when prompted.

Now we have a single file containing the certificates and the publickey. We need to sperate them too move them into ther respective folder:

openssl storeutl -out new-cert.pem -certs keychain.pem 
openssl storeutl -out new-cert.pem -keys privatekey.pem 

Those two files can then be added to the /etc/ssl/certs/ or /etc/ssl/private/ and added in the nginx config. But for Proxmox things are a little different.

To upload the keychain and privatekey to proxmox, one needs to remove everything else but the certificates: So we need to manually strip all the bagAttributes from the cert:

openssl storeutl -out new-cert.pem -keys | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > privatekey.pem
openssl storeutl -out new-cert.pem -certs | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > keychain.pem

Those files can then be uploaded to the Proxmox server under Certificates.