Incus cluster certificates - own pki/CA

Hi, how can I use own certificates (own internal pki/CA) for incus clustering?

Without incus cluster, I can use server.crt, server.key and server.ca (and client.*) pointing to the proper certificates and with incus config set core.trust_ca_certificates=true I can use “password-less” incus api access between servers and clients.
I am trying similar with incus cluster (cluster.crt, cluster.key and cluster.ca) but without much success.

When I try to change cluster certs and key with incus cluster update-certificate for single/first node and add cluster.ca points to my CA crt, together with incus config set core.trust_ca_certificates=true I can access incus UI/api with valid client certificate, but am getting instantly “Failed adding member event listener client” error even from the first/single cluster member itself and can’t add other nodes with “Error: Failed to retrieve cluster information: not authorized” on them.

Is this setup possible (own trusted internal pki/CA), or not yet?
Thanks.

It’s less common for sure.

Ideally what you would do is replace the server.crt, server.key and server.ca prior to joining the server into the cluster. Then you’d issue another certificate for cluster.crt and cluster.key as that’s what will be used by all servers when dealing with clients (as the client visible cert should be the same in a cluster).