What is AutoInstall SSL™?

A server agent that automates your entire SSL certificate lifecycle. You set it up once, and it takes care of every step from there. At SSL Dragon, it is sold as a bundle with domain validated (DV) certificates from RapidSSL or GeoTrust.

How AutoInstall SSL™ Works

Install the agent with one terminal command, run the certificate install command with your token, and you’re done. The full four-step walkthrough is in “How AutoInstall SSL™ Works” above.

Which SSL certificates are compatible?

The tool supports single-domain and wildcard DV certificates from RapidSSL and GeoTrust. SSL Dragon offers four bundles: RapidSSL Standard + AutoInstall, RapidSSL Wildcard + AutoInstall, GeoTrust QuickSSL Premium + AutoInstall, and GeoTrust QuickSSL Premium Wildcard + AutoInstall.

What servers and operating systems are supported?

Linux (Ubuntu, Debian, CentOS) with Apache or NGINX, and Windows Server (2016–2025) with IIS. Server-level access via SSH or RDP is a prerequisite. Cloud VMs from AWS, Azure, GCP, and DigitalOcean are all compatible. Full details are listed in “Supported Platforms and Servers” above.

Does it work with shared hosting?

No. Shared hosting lacks the server-level access the agent depends on. It works only where you have root or admin privileges. See “Environments Not Supported” above, or visit our SSL installation guides for manual setup options.

How is AutoInstall SSL™ different from Let’s Encrypt or Certbot?

The key differences are warranty coverage (up to $500,000), a CA-issued site seal, 24/7 support, and a managed agent that requires no ongoing maintenance. The full side-by-side breakdown is in the comparison section above. SSL Dragon’s ACME SSL Certificates page covers the alternative protocol-based approach.

How much do the bundles cost?

Starting at $23/yr (RapidSSL Standard + AutoInstall) up to $285/yr (GeoTrust QuickSSL Premium Wildcard + AutoInstall). Every bundle includes both the certificate and the automation agent for one year. See all four options in the pricing section above.

Why is SSL certificate automation becoming necessary?

Maximum certificate validity is dropping to 200 days (March 2026), 100 days (2027), and a 47-day maximum (2029) under Ballot SC-081v3. Domain validation reuse shrinks to 10 days on the same schedule. Renewing by hand at that frequency is unsustainable.

Are wildcard certificates supported?

Yes. Both the RapidSSL Wildcard + AutoInstall and GeoTrust QuickSSL Premium Wildcard + AutoInstall bundles cover unlimited subdomains on a single level (for example, shop.example.com, mail.example.com, app.example.com). Wildcard certificates require DNS-based validation, which the agent handles automatically for supported DNS hosts.

Can I switch if I already have an SSL certificate from another provider?

Yes. The bundles include a new SSL certificate alongside the automation agent. If you currently hold a certificate from another provider, you can transition when your existing certificate comes up for renewal. Once configured, the agent manages all future renewals on its own.

How to Install an SSL Certificate on Proxmox

Last updated on June 10th, 2026 by Denis Graur

This tutorial shows you how to install an SSL certificate on Proxmox Virtual Environment (Proxmox VE) so the web interface is served over trusted HTTPS instead of the default self-signed certificate. You will also find the best place to buy an affordable SSL certificate for Proxmox.

If you’ve already generated the CSR code and received your SSL files, skip straight to the installation instructions.

Generate a CSR code on Proxmox

To get an SSL certificate from a trusted Certificate Authority (CA), you must first generate a CSR code and send it to the certificate provider. CSR stands for Certificate Signing Request: a block of encoded text that contains your contact details, such as domain name and company identity, along with the public key that will be embedded in your certificate.

You have two options:

Generate the CSR automatically with our CSR Generator.
Follow our step-by-step tutorial on how to create a CSR on Proxmox.

Submit the CSR to the Certificate Authority during checkout. Once the CA validates your request and issues the certificate, continue with the installation below.

Install an SSL certificate on Proxmox

After your CA signs the certificate and emails you the SSL files, you can begin the installation. Proxmox VE replaces its default self-signed certificate with your custom one. You do not edit a web server config or restart Apache/Nginx by hand, because Proxmox manages its own pveproxy service.

Before you start

Have your signed SSL files from your CA ready.
Make sure your private key is not password-protected; Proxmox will not accept an encrypted key.
You apply the certificate per node. In a cluster, repeat these steps on each node you want to secure.

These steps apply to Proxmox VE 7, 8, and the current 9.x release line. The certificate workflow is identical across these versions.

Step 1: Prepare the installation files

Download the ZIP archive your CA sent you and extract it on your computer. To activate SSL on Proxmox you need exactly two files:

fullchain.pem, your server certificate plus all intermediate certificates (excluding the root), merged into a single PEM file.
private-key.pem, your private key in PEM format, without a password.

Depending on your CA, you may receive the root and intermediate certificates as separate files or bundled in a single .ca-bundle file. For Proxmox, you must combine your server certificate and the intermediate(s) into one fullchain.pem file. Open a plain-text editor and paste the contents of each certificate into a single file.

The order matters. The full-chain file must start with your server (leaf) certificate, followed by the intermediate certificate(s). Each certificate block runs from its —–BEGIN CERTIFICATE—– line to its —–END CERTIFICATE—– line, like this:

-----BEGIN CERTIFICATE-----
(your server / leaf certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(intermediate certificate)
-----END CERTIFICATE-----

Step 2: Upload the certificate via the Proxmox GUI

The web interface is the simplest method, especially if you manage a single node:

Log in to the Proxmox web interface.
In the left panel, expand Datacenter, select your node, then go to System → Certificates.
Under pveproxy-ssl.pem, click Upload Custom Certificate.
Paste (or upload) your fullchain.pem into the Certificate Chain field and your private-key.pem into the Private Key field.
Click Upload. When prompted to restart the web service, confirm. Proxmox reloads pveproxy and starts serving your new certificate.

After the restart, reload the web interface in your browser. You should now see your trusted certificate instead of the default self-signed one.

Alternative: install the certificate from the command line

If you prefer the shell, copy your fullchain.pem and private-key.pem to the node over SSH (for example with scp), then use the built-in pvenode tool. It validates that the certificate and key match before installing them and can restart the proxy in one step:

pvenode cert set fullchain.pem private-key.pem --force --restart

The –force flag overwrites any existing custom certificate, and –restart reloads the web service so the change takes effect immediately.

You can also place the files manually. Proxmox reads the active node’s certificate from /etc/pve/local/pveproxy-ssl.pem and its key from /etc/pve/local/pveproxy-ssl.key (where /etc/pve/local is a symlink to the current node’s directory). Copy your files into place, adjusting the source paths to match your own:

cp fullchain.pem /etc/pve/local/pveproxy-ssl.pem
cp private-key.pem /etc/pve/local/pveproxy-ssl.key

Then restart the web interface to load the new certificate:

systemctl restart pveproxy

You should see a log message confirming Proxmox is now using your new certificate.

Alternative: get a free certificate with Proxmox’s built-in ACME (Let’s Encrypt)

Proxmox VE ships with a native ACME client, so you can issue and auto-renew a free Let’s Encrypt certificate without buying one or running external tools. This is ideal when your node has a public DNS name (the HTTP-01 challenge needs ports 80/443 reachable from the internet) or when you can use a supported DNS provider for the DNS-01 challenge.

Go to Datacenter → ACME and register an account under Accounts (choose the Let’s Encrypt directory and accept the terms). ACME accounts are configured once at the datacenter level.
Open your node → System → Certificates, and under ACME add the domain(s) for that node and select your challenge type (HTTP or DNS).
Click Order Certificates Now. Proxmox completes the challenge, installs the certificate, and renews it automatically before expiry.

Test your SSL installation

After installing the certificate, run a quick check for errors and vulnerabilities. The fastest way is to open the Proxmox web interface in your browser and confirm the padlock shows a valid, trusted certificate with the correct domain and expiry date.

From the command line, you can read back exactly what the node is serving on its default port (8006):

echo | openssl s_client -connect your-proxmox-host:8006 -servername your-proxmox-host 2>/dev/null | openssl x509 -noout -issuer -subject -dates

This prints the issuer, subject, and validity dates of the live certificate. For a full external scan, see our guide to the best SSL Checker for checking your installation.

Where to buy the best SSL certificate for Proxmox?

When buying an SSL certificate, weigh the validation type, price, and customer service. At SSL Dragon we offer one of the widest ranges of SSL certificates, highly competitive prices, and dedicated support. Every certificate is issued by a trusted Certificate Authority and is fully compatible with Proxmox Virtual Environment. Whether you need an affordable Domain Validation certificate or a premium Extended Validation product, we’ve got you covered.

Get an SSL certificate now

Frequently Asked Questions

Where does Proxmox store its SSL certificate?

Each node serves its custom certificate from /etc/pve/local/pveproxy-ssl.pem and the matching key from /etc/pve/local/pveproxy-ssl.key. The /etc/pve/local path is a symlink to that node’s own directory under /etc/pve/nodes/<node>/. If no custom certificate is present, Proxmox falls back to its self-signed pve-ssl.pem.

How do I restart the Proxmox web interface after installing a certificate?

Restart the proxy service that serves the GUI:
systemctl restart pveproxy
If you upload through the GUI or run pvenode cert set ... --restart, Proxmox restarts the service for you, so you don’t need this command.

Why won’t Proxmox accept my private key?

The most common cause is a password-protected (encrypted) key; Proxmox only accepts an unencrypted PEM key. Remove the passphrase first with openssl rsa -in private-key.pem -out private-key.pem. Also confirm the key actually matches your certificate and that the certificate is a proper full chain (leaf first, then intermediates, root excluded).

Can Proxmox get a free Let’s Encrypt certificate automatically?

Yes. Proxmox VE has a built-in ACME client. Register a Let’s Encrypt account under Datacenter → ACME, add your domain and challenge type under [node] → System → Certificates, then order the certificate. Proxmox installs it and renews it automatically before it expires, with no manual upload needed.

Do I need to install the certificate on every node in a cluster?

Yes. The custom certificate is stored per node, so you connect to each node’s own web interface on its own hostname. Repeat the upload (or the ACME order) on each node you want to serve over trusted HTTPS.

Bottom line

Installing an SSL certificate on Proxmox VE comes down to building a full-chain PEM file, uploading it with your unencrypted key via System → Certificates (or with pvenode cert set on the command line), and letting Proxmox restart its pveproxy service. For a hands-off setup, the built-in ACME client issues and auto-renews a free Let’s Encrypt certificate. Need a certificate first? Browse our SSL certificates.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

Order Now

Written by Denis Graur

I've been building and managing websites for over 20 years, with a heavy focus on the technical side of the cybersecurity, VPN, and SaaS industries. I know how sites are built from the ground up, which means I know how to secure them. Here at SSL Dragon, I write about web architecture, encryption, and keeping your infrastructure safe.