- <description>The corresponding SSL public certificate,
- signed by the root CA.</description>
+ <description>The corresponding SSL public certificate. By
+ default, this certificate is self-signed. You may replace
+ the certificate later with one signed by the PLC root
+ CA.</description>
+ </variable>
+
+ <variable id="ca_ssl_crt" type="file">
+ <name>Root CA SSL Public Certificate</name>
+ <value>/etc/planetlab/ma_sa_ca_ssl.crt</value>
+ <description>If applicable, the certificate of the PLC root
+ CA. If your MA/SA certificate is self-signed, then this file
+ is the same as your MA/SA certificate.</description>
+ </variable>
+
+ <variable id="ca_ssl_key_pub" type="file">
+ <name>Root CA SSL Public Key</name>
+ <value>/etc/planetlab/ma_sa_ca_ssl.pub</value>
+ <description>If applicable, the public key of the PLC root
+ CA. If your MA/SA certificate is self-signed, then this file
+ is the same as your MA/SA public key.</description>