certs: add some screenshots

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

certificate-management.adoc

@@ -49,6 +49,17 @@ certificate files in `/etc/pve/local/pve-ssl.pem` and
 `/etc/pve/local/pve-ssl.key` or the cluster CA files in
 `/etc/pve/pve-root-ca.pem` and `/etc/pve/priv/pve-root-ca.key`.
 
+[[sysadmin_certs_upload_custom]]
+Upload Custom Certificate
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If you already have a certificate which you want to use for a {pve} node you
+can upload that certificate simply over the web interface.
+
+[thumbnail="screenshot/gui-node-certs-upload-custom.png"]
+
+Note that the certificates key file, if provided, mustn't be password
+protected.
 
 [[sysadmin_certs_get_trusted_acme_cert]]
 Trusted certificates via Let's Encrypt (ACME)
@@ -68,12 +79,13 @@ supporting all the DNS API endpoints https://acme.sh[acme.sh] does.
 [[sysadmin_certs_acme_account]]
 ACME Account
 ^^^^^^^^^^^^
+
+[thumbnail="screenshot/gui-datacenter-acme-register-account.png"]
+
 You need to register an ACME account per cluster with the endpoint you want to
 use. The email address used for that account will server as contact point for
 renewal-due or similar notifications from the ACME endpoint.
 
-// TODO: screenshot of account register here
-
 You can register and deactivate ACME accounts over the web interface
 `Datacenter -> ACME` or using the `pvenode` command line tool.
 ----
@@ -99,11 +111,28 @@ from the public internet. For such cases one could use the `dns-01` challenge.
 That challenge provides also a certain value, but not over a text file, but
 through a DNS record on the authority name server of the domain.
 
+[thumbnail="screenshot/gui-datacenter-acme-overview.png"]
+
 {pve} supports both of those challenge types out of the box, you can configure
 plugins either over the web interface under `Datacenter -> ACME`, or using the
 `pvenode acme plugin add` command.
 
 ACME Plugin configurations are stored in `/etc/pve/priv/acme/plugins.cfg`.
+A plugin is available for all nodes in the cluster.
+
+Node Domains
+^^^^^^^^^^^^
+
+Each domain is node specific. You can add new or manage existing domain entries
+under `Node -> Certificates`, or using the `pvenode config` command.
+
+[thumbnail="screenshot/gui-node-certs-add-domain.png"]
+
+After configuring the desired domain(s) for a node and ensuring that the
+desired ACME account is selected, you can order your new certificate over the
+web-interface. On success the interface will reload after 10 seconds.
+
+Renewal will happen xref:sysadmin_certs_acme_automatic_renewal[automatically].
 
 [[sysadmin_certs_acme_http_challenge]]
 ACME HTTP Challenge Plugin
@@ -146,6 +175,8 @@ specific APIs.
 The easiest way to configure a new plugin with the DNS API is using the web
 interface (`Datacenter -> ACME`).
 
+[thumbnail="screenshot/gui-datacenter-acme-add-dns-plugin.png"]
+
 Choose `DNS` as challenge type. Then you can select your API provider, enter
 the credential data to access your account over their API.
 
@@ -187,7 +218,7 @@ Automatic renewal of ACME certificates
 
 If a node has been successfully configured with an ACME-provided certificate
 (either via pvenode or via the GUI), the certificate will be automatically
-renewed by the pve-daily-update.service. Currently, renewal will be attempted
+renewed by the `pve-daily-update.service`. Currently, renewal will be attempted
 if the certificate has expired already, or will expire in the next 30 days.