Thanks for the quick iteration on this! Changes look good to me - and I consider them an improvement to before.
Tested this quickly by: 1) removing pve-root-ca (key and cert), the node's pve-ssl (key and cert) 2) running `pvecm updatecerts --force` 3) installing pve-cluster packages with your patches applied 4) recreating the certificate (point 1+2) again 5) vimdiffing old and new files - changes look sensible (apart from the uuid, only the added keyUsage extension) 6) running the test-script from your commit-message after restarting pveproxy did not read/recheck everything in RFC 5280 though. consider this series Reviewed-by: Stoiko Ivanov <[email protected]> Tested-by: Stoiko Ivanov <[email protected]> On Mon, 26 Jan 2026 10:55:42 +0100 Arthur Bied-Charreton <[email protected]> wrote: > The main fix (1/3) adds the keyUsage extension to PVE's root CA, which > is required by RFC 5280. > > {2,3}/3 address review feedback [1] by eliminating temporary config > files and moving temp file creation from /tmp to /run to prevent symlink > races. > > More details in the commit messages. > > [1] > https://lore.proxmox.com/pve-devel/[email protected]/T/#t > > Arthur Bied-Charreton (3): > fix #6701: Add keyUsage extension to root CA > Convert SSL cert generation config to CLI arguments > Create temporary CSR file in /run instead of /tmp > > src/PVE/Cluster/Setup.pm | 45 +++++++++++----------------------------- > 1 file changed, 12 insertions(+), 33 deletions(-) >
