1)

The SSL  certificates are stored in the Keystore table.

So before changing realhost ip domain ,Please take back up of keystore table. So that if any problem occurs during  transition to new domain, you can  safely revert back immediately  with your backed-up details.

2)

Due to security reasons, CloudStack won't support  self Signed certificates.So uploaded certificate should be authorized by RootCA or any provider.

3)

Earlier CloudStack used to take care of  realhost ip  DNS resolution  automatically but now end user has to take of Name resolution explicitly for their custom domain.

4)

Make sure System VMs and the corresponding agents are up and running while uploading the

certificates,If they are not up, the existing URL might still be pointing to the obsolete realhostip.com domain.

5)   Depending on your requirements perform following settings:

 For 4.3>= releases onwards:

  •   HTTP   -->      Set the consoleproxy.url.open = empty(i.e clear the existing entries if it exits)

  •   HTTPS  -->     Set the consoleproxy.url.open = *.yourdomain.com 

    Note:IN SSL certificate wizard,while entering the certificate details , The value for  "DNS Domain Suffix"  should be set as  "yourdomain.com"    and not as "*.yourdomain.com"( eg:it should be xyz.com)

    


Note:

After changing from https to http mode , you will still see a problem i.e it will fail to display the console till you destroy the console proxy.

so destroy the system vms after changing  from https to http  mode so new system vms will be recreated  with new settings.



For pre-4.3 releases

config parameter "consoleproxy.url.domain" should be set to "yourdomain.com", and not "*.yourdomain.com" (no asterisk) for pre-4.3 releases

Also Same holds true for secstorage.cert.domain parameter.

 

 

6)Upload certificates in the correct order. Use id=1for the first root certificate, then  for the subsequent intermediate certificates use id=2, id=3, id=4, and so on.

7)

if you seen ANY  java security exception like  "" sun.security.provider.certpath.SunCertPathBuilderException: " after uploading certificates  ,that means there is probability of  missing  information as mentioned below:

    • Check  Uploaded certificates are in right order or not.
    • Check  Certificates  are URL encoded or no
    • Check Uploaded SSL Private  Key  in supported format 'PKCS#8'  or not.
    • Check the following files in SSVM,CPVM for uploaded certificates are stored properly  or not

      /etc/ssl/private/cert_apache.key         – Server Key File path
      /etc/ssl/certs/cert_apache.crt              – Server Certificate File path
      /etc/ssl/certs/cert_apache_chain.crt   – SSL Chain File Path   
    •                

-- Also if you don't setup the DNS  then you can resolve it temporarily by resolving as DNS (10-10-10-10.domain.com) locally like below:

  • in your client's machine put the entries in the /etc/hosts file  as below:
  • 10.127.20.31 10-127-20-31.realhostip.com   here 10.127.20.31 IP --> is your public IP of your console proxy.

            

 

 

Sample Example: :

********************************************

root@cen62307 CA]# ls

certs  crl  index.txt  newcerts  private  serial  yourprivate.key

[root@cen62307 CA]# openssl genrsa -des3 -out /etc/pki/CA/ca.key.pem 2048

Generating RSA private key, 2048 bit long modulus

........+++

.......................................................................+++

e is 65537 (0x10001)

Enter pass phrase for /etc/pki/CA/ca.key.pem:

Verifying - Enter pass phrase for /etc/pki/CA/ca.key.pem:

[root@cen62307 CA]# openssl genrsa -des3 -out /etc/pki/CA/private/ca.key.pem 2048

Generating RSA private key, 2048 bit long modulus

.............................+++

.......................................+++

e is 65537 (0x10001)

Enter pass phrase for /etc/pki/CA/private/ca.key.pem:

Verifying - Enter pass phrase for /etc/pki/CA/private/ca.key.pem:

[root@cen62307 CA]# chmod 400 /etc/pki/CA/private/ca.key.pem

 

[root@cen62307 CA]# openssl req -new -x509 -days 3650 -key /etc/pki/CA/private/ca.key.pem  -extensions v3_ca -out /etc/pki/CA/certs/ca.cert.pem

Enter pass phrase for /etc/pki/CA/private/ca.key.pem:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:GB

State or Province Name (full name) []:london

Locality Name (eg, city) [Default City]:london

Organization Name (eg, company) [Default Company Ltd]:myhoona.org

Organizational Unit Name (eg, section) []:qa

Common Name (eg, your name or your server's hostname) []:*.myhoona.org

Email Address []:suresh.sadhu@citrix.com

 

 

 

 

 

[root@cen62307 CA]# chmod 400 /etc/pki/CA/private/myhoona.org.pem

[root@cen62307 CA]# openssl req -new -key /etc/pki/CA/private/myhoona.org.pem  -out /etc/pki/CA/certs/myhoona.org.csr.pem^C

[root@cen62307 CA]# cd /etc/pki/CA/private/

[root@cen62307 private]# ls

ca.key.pem  myhoona.org.pem

[root@cen62307 private]# openssl req -new -key /etc/pki/CA/private/myhoona.org.pem  -out /etc/pki/CA/certs/myhoona.org.csr.pem

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:GB

State or Province Name (full name) []:london

Locality Name (eg, city) [Default City]:london

Organization Name (eg, company) [Default Company Ltd]:myhoona.org

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []:*.myhoona.org

Email Address []:mail2sadhu@gmail.com

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

[root@cen6230711 private]# cd /etc/pki/CA

[root@cen6230711 CA]# openssl ca -keyfile private/ca.key.pem -cert certs/ca.cert.pem -notext -md sha1 -in certs/myhoona.org.csr.pem  -out certs/myhoona.org.cert.pem

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for private/ca.key.pem:

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 4096 (0x1000)

        Validity

            Not Before: Apr 17 14:17:05 2014 GMT

            Not After : Apr 17 14:17:05 2015 GMT

        Subject:

            countryName               = GB

            stateOrProvinceName       = london

            organizationName          = myhoona.org

            commonName                = *.myhoona.org

            emailAddress              = mail2sadhu@gmail.com

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            Netscape Comment:

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier:

                C1:5E:78:95:C8:49:E3:C2:6A:29:F4:11:BE:B1:64:70:0A:CD:DB:84

            X509v3 Authority Key Identifier:

                keyid:9C:5C:E4:3D:A1:53:2C:CB:FE:1E:91:A8:E8:A0:CC:28:8B:7A:D10:01

 

Certificate is to be certified until Apr 17 14:17:05 2015 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

 

And the key which is generated in first step  to be converted in pkc8 format  as per the instruction mentioned  in the admin guide.

after uploading certificate you will see the entries  in cloud keystore db like below

mysql> select id,seq,name,domain_suffix from keystore;

+----+------+-----------------+-------------------+

| id | seq  | name            | domain_suffix     |

+----+------+-----------------+-------------------+

|  1 | NULL | CPVMCertificate | myhoona.org |

|  2 |    0 | root            | realhostip.com    |

|  7 |    1 | root1           | myhoona.org |

****************************************************************************************

 

 

 

 

  • No labels