From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pbs-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id 7A1201FF142
	for <inbox@lore.proxmox.com>; Tue, 07 Apr 2026 15:57:21 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 1AEC11CEC3;
	Tue,  7 Apr 2026 15:57:55 +0200 (CEST)
From: Shannon Sterz <s.sterz@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [PATCH datacenter-manager 09/10] cli: expose certificate management
 endpoints via the cli
Date: Tue,  7 Apr 2026 15:57:13 +0200
Message-ID: <20260407135714.490747-10-s.sterz@proxmox.com>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <20260407135714.490747-1-s.sterz@proxmox.com>
References: <20260407135714.490747-1-s.sterz@proxmox.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1775570172953
X-SPAM-LEVEL: Spam detection results:  0
	AWL                     0.125 Adjusted score from AWL reputation of From:
 address
	BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
	DMARC_MISSING             0.1 Missing DMARC policy
	KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict
 Alignment
	SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
	SPF_PASS               -0.001 SPF: sender matches SPF record
Message-ID-Hash: ZNBOX3LC5RFJRCBUXRJY3TZL5EO5GON2
X-Message-ID-Hash: ZNBOX3LC5RFJRCBUXRJY3TZL5EO5GON2
X-MailFrom: s.sterz@proxmox.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Proxmox Backup Server development discussion
 <pbs-devel.lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Owner: <mailto:pbs-devel-owner@lists.proxmox.com>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Subscribe: <mailto:pbs-devel-join@lists.proxmox.com>
List-Unsubscribe: <mailto:pbs-devel-leave@lists.proxmox.com>

analogous to how this is handled in proxmox-backup-server.

Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
 cli/admin/Cargo.toml  |  2 +
 cli/admin/src/cert.rs | 86 +++++++++++++++++++++++++++++++++++++++++++
 cli/admin/src/main.rs |  2 +
 3 files changed, 90 insertions(+)
 create mode 100644 cli/admin/src/cert.rs

diff --git a/cli/admin/Cargo.toml b/cli/admin/Cargo.toml
index 01afc88..7aa0d2e 100644
--- a/cli/admin/Cargo.toml
+++ b/cli/admin/Cargo.toml
@@ -10,6 +10,7 @@ repository.workspace = true
 
 [dependencies]
 anyhow.workspace = true
+openssl.workspace = true
 serde.workspace = true
 serde_json.workspace = true
 
@@ -29,3 +30,4 @@ pdm-api-types.workspace = true
 pdm-config.workspace = true
 pdm-buildcfg.workspace = true
 server.workspace = true
+proxmox-time.workspace = true
diff --git a/cli/admin/src/cert.rs b/cli/admin/src/cert.rs
new file mode 100644
index 0000000..358ab56
--- /dev/null
+++ b/cli/admin/src/cert.rs
@@ -0,0 +1,86 @@
+use anyhow::{bail, Error};
+
+use proxmox_router::cli::*;
+use proxmox_schema::api;
+use server::api;
+use server::auth::certs::update_self_signed_cert;
+use server::auth::csrf::generate_csrf_key;
+use server::auth::key::generate_auth_key;
+
+#[api]
+/// Display node certificate information.
+fn cert_info() -> Result<(), Error> {
+    let Some(cert) = api::nodes::certificates::get_info()?.pop() else {
+        return Ok(());
+    };
+
+    println!("Subject: {}", cert.subject);
+
+    for name in cert.san {
+        println!("    {name}");
+    }
+
+    let not_before = cert
+        .notbefore
+        .and_then(|e| proxmox_time::strftime_utc("%b %e %T %Y %Z", e).ok());
+
+    let not_after = cert
+        .notafter
+        .and_then(|e| proxmox_time::strftime_utc("%b %e %T %Y %Z", e).ok());
+
+    println!("Issuer: {}", cert.issuer);
+    println!("Validity:");
+    println!("    Not Before: {}", not_before.unwrap_or_default());
+    println!("    Not After : {}", not_after.unwrap_or_default());
+
+    println!(
+        "Fingerprint (sha256): {}",
+        cert.fingerprint.unwrap_or_default()
+    );
+
+    println!("Public key type: {}", cert.public_key_type);
+    println!(
+        "Public key bits: {}",
+        cert.public_key_bits.unwrap_or_default()
+    );
+
+    Ok(())
+}
+
+#[api(
+    input: {
+        properties: {
+            force: {
+                description: "Force generation of new SSL certificate.",
+                type:  Boolean,
+                optional:true,
+            },
+        }
+    },
+)]
+/// Update node certificates and generate all needed files/directories.
+/// If no authentication key or CSRF secret key exist, this will also generate new ones. These two
+/// keys will go into effect the next time the `proxmox-backup.service` is started.
+fn update_certs(force: Option<bool>) -> Result<(), Error> {
+    pdm_config::setup::create_configdir()?;
+
+    if let Err(err) = generate_auth_key() {
+        bail!("unable to generate auth key - {err}");
+    }
+
+    if let Err(err) = generate_csrf_key() {
+        bail!("unable to generate csrf key - {err}");
+    }
+
+    update_self_signed_cert(force.unwrap_or(false))?;
+
+    Ok(())
+}
+
+pub fn cert_mgmt_cli() -> CommandLineInterface {
+    let cmd_def = CliCommandMap::new()
+        .insert("info", CliCommand::new(&API_METHOD_CERT_INFO))
+        .insert("update", CliCommand::new(&API_METHOD_UPDATE_CERTS));
+
+    cmd_def.into()
+}
diff --git a/cli/admin/src/main.rs b/cli/admin/src/main.rs
index 7f0b339..66d5423 100644
--- a/cli/admin/src/main.rs
+++ b/cli/admin/src/main.rs
@@ -12,6 +12,7 @@ use proxmox_schema::api;
 use proxmox_sys::fs::CreateOptions;
 
 mod acme;
+mod cert;
 mod remotes;
 mod support_status;
 
@@ -38,6 +39,7 @@ async fn run() -> Result<(), Error> {
 
     let cmd_def = CliCommandMap::new()
         .insert("acme", acme::acme_mgmt_cli())
+        .insert("cert", cert::cert_mgmt_cli())
         .insert("remote", remotes::cli())
         .insert(
             "report",
-- 
2.47.3