I’m using a SSH tunnel to connect a port on my vps to a port on my home server. I have rhevssl certificates both on the vps and the home server (I trust the vps provider), but I’m pretty sure (correct me if I’m wrong!) that this would work with the certificates only on the home server. Could the vps provider do a mitm then? I’m not sure, the packets go in one port and are directly forwarded to my home server.
Can the vps provider get their own certificates? That’s a good question. I guess you could check the certificate when connecting to prevent tampering. Datetime of issue alone should be enough since vps providers can’t fake that. Unless you don’t trust CAs either :)