1)
The SSL certificates are stored in the Keystore table.
So before changing realhost ip domain ,Please take back up of keystore table. So that if any problem occurs during transition to new domain, you can safely revert back immediately with your backed-up details.
2)
Due to security reasons, CloudStack won't support self Signed certificates.So uploaded certificate should be authorized by RootCA or any provider.
3)
Earlier CloudStack used to take care of realhost ip DNS resolution automatically but now end user has to take of Name resolution explicitly for their custom domain.
4)
Make sure System VMs and the corresponding agents are up and running while uploading the
certificates,If they are not up, the existing URL might still be pointing to the obsolete realhostip.com domain.
5) Depending on your requirements perform following settings:
For 4.3>= releases onwards:
Note:
After changing from https to http mode , you will still see a problem i.e it will fail to display the console till you destroy the console proxy.
so destroy the system vms after changing from https to http mode so new system vms will be recreated with new settings.
For pre-4.3 releases
config parameter "consoleproxy.url.domain" should be set to "yourdomain.com", and not "*.yourdomain.com" (no asterisk) for pre-4.3 releases
Also Same holds true for secstorage.cert.domain parameter.
6)Upload certificates in the correct order. Use id=1for the first root certificate, then for the subsequent intermediate certificates use id=2, id=3, id=4, and so on.
7)
if you seen ANY java security exception like "" sun.security.provider.certpath.SunCertPathBuilderException: " after uploading certificates ,that means there is probability of missing information as mentioned below:
-- Also if you don't setup the DNS then you can resolve it temporarily by resolving as DNS (10-10-10-10.domain.com) locally like below:
Sample Example: :
********************************************
root@cen62307 CA]# ls
certs crl index.txt newcerts private serial yourprivate.key
[root@cen62307 CA]# openssl genrsa -des3 -out /etc/pki/CA/ca.key.pem 2048
Generating RSA private key, 2048 bit long modulus
........+++
.......................................................................+++
e is 65537 (0x10001)
Enter pass phrase for /etc/pki/CA/ca.key.pem:
Verifying - Enter pass phrase for /etc/pki/CA/ca.key.pem:
[root@cen62307 CA]# openssl genrsa -des3 -out /etc/pki/CA/private/ca.key.pem 2048
Generating RSA private key, 2048 bit long modulus
.............................+++
.......................................+++
e is 65537 (0x10001)
Enter pass phrase for /etc/pki/CA/private/ca.key.pem:
Verifying - Enter pass phrase for /etc/pki/CA/private/ca.key.pem:
[root@cen62307 CA]# chmod 400 /etc/pki/CA/private/ca.key.pem
[root@cen62307 CA]# openssl req -new -x509 -days 3650 -key /etc/pki/CA/private/ca.key.pem -extensions v3_ca -out /etc/pki/CA/certs/ca.cert.pem
Enter pass phrase for /etc/pki/CA/private/ca.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:GB
State or Province Name (full name) []:london
Locality Name (eg, city) [Default City]:london
Organization Name (eg, company) [Default Company Ltd]:myhoona.org
Organizational Unit Name (eg, section) []:qa
Common Name (eg, your name or your server's hostname) []:*.myhoona.org
Email Address []:suresh.sadhu@citrix.com
[root@cen62307 CA]# chmod 400 /etc/pki/CA/private/myhoona.org.pem
[root@cen62307 CA]# openssl req -new -key /etc/pki/CA/private/myhoona.org.pem -out /etc/pki/CA/certs/myhoona.org.csr.pem^C
[root@cen62307 CA]# cd /etc/pki/CA/private/
[root@cen62307 private]# ls
ca.key.pem myhoona.org.pem
[root@cen62307 private]# openssl req -new -key /etc/pki/CA/private/myhoona.org.pem -out /etc/pki/CA/certs/myhoona.org.csr.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:GB
State or Province Name (full name) []:london
Locality Name (eg, city) [Default City]:london
Organization Name (eg, company) [Default Company Ltd]:myhoona.org
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:*.myhoona.org
Email Address []:mail2sadhu@gmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@cen6230711 private]# cd /etc/pki/CA
[root@cen6230711 CA]# openssl ca -keyfile private/ca.key.pem -cert certs/ca.cert.pem -notext -md sha1 -in certs/myhoona.org.csr.pem -out certs/myhoona.org.cert.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for private/ca.key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0x1000)
Validity
Not Before: Apr 17 14:17:05 2014 GMT
Not After : Apr 17 14:17:05 2015 GMT
Subject:
countryName = GB
stateOrProvinceName = london
organizationName = myhoona.org
commonName = *.myhoona.org
emailAddress = mail2sadhu@gmail.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C1:5E:78:95:C8:49:E3:C2:6A:29:F4:11:BE:B1:64:70:0A:CD:DB:84
X509v3 Authority Key Identifier:
keyid:9C:5C:E4:3D:A1:53:2C:CB:FE:1E:91:A8:E8:A0:CC:28:8B:7A:D10:01
Certificate is to be certified until Apr 17 14:17:05 2015 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
And the key which is generated in first step to be converted in pkc8 format as per the instruction mentioned in the admin guide.
after uploading certificate you will see the entries in cloud keystore db like below
mysql> select id,seq,name,domain_suffix from keystore;
+----+------+-----------------+-------------------+
| id | seq | name | domain_suffix |
+----+------+-----------------+-------------------+
| 1 | NULL | CPVMCertificate | myhoona.org |
| 2 | 0 | root | realhostip.com |
| 7 | 1 | root1 | myhoona.org |
****************************************************************************************