@phoenixmage Hey, just a quick update for you. I have a working solution for this scenario and it is pending a PR which should happen this week. When it does I will update you here.
Basically the current VPN trust configuration is tied to the BALENA_ROOT_CA and so while you can change this value, you would also need to issue a new VPN Sub-CA and server cert. So I am PRing a change to remove the trust chain, meaning you can change the BALENA_ROOT_CA value in your configuration to match your enterprise CA and still keep a working VPN. I have tested it myself and it worked nicely. You will also be able to make your own
cert-provider image to load in your server’s cert and then renew it/reload the HAproxy config without changing the HAproxy container.