How to enhance WebUI default security?

[amontero]

I'm setting up a LAN grid that where I would like to protect storage nodes WebUIs from casual eavesdroppers. I connect to storage nodes via WebUI to do checks and tests, and would like to be a bit safer to wireless sniffers, for instance. I assume that enabling SSL for all node's WebUIs would be enough for that, maybe I've overlooked something. Just common-sense rule-of-thumb: (most of)SSL will be better than NO SSL. Then I thought that the easiest way to do this is, not to even generate any certs locally, but reuse the "private/node.pem" existing one. Looks the easiest, good karma points. Perhaps that's not possible/advisable and is a blatant "no-no" that I could not be aware of. Tried reading the code a little and read ​https://github.com/tahoe-lafs/pycryptopp/blob/master/README.ed25519.rst and I'm not sure. But, here I've could be completely mislead and I don't understand most of it. My doubts are:

• what security will have this "node.pem" key for webui SSL?
• is "node.pem" even suitable for using it as SSL cert?

I asked in IRC and was given nice alternatives, such as lafs-rpg or ssh tunnels, but doing by enabling just SSL I seem to understand that's not as easy and secure af it sounds. But here I might fall short on understandings of some crypto/PKI concepts. So, anyway at least as a FAQ I would like to know if it is possible or if it can be achieved someway. Here it might raise ideas, such as "why we don't generate a default 'private/webui.pem' and recommend in tahoe.cfg comments?". I think that switching to from NO SSL to SSL WebUI is worth having, isn't it?

I think making this a bit clear for non cryptologists could at least be a nice security FAQ, even if not advisable.