Versions Compared

Old Version 6

changes.mady.by.user Amogh Vasekar

Saved on

compared with

New Version Current

changes.mady.by.user Amogh Vasekar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

TIP : The information in this blog post is good to have, for real-life SSL scenarios : http://www.chipchilders.com/blog/2013/1/2/undocumented-feature-using-certificate-chains-in-cloudstack.html

Creating your own chained certificate for testing

This is meant for testing purposes only, for the lack of a better way without obtaining an actual intermediate CA. In essence, the process is to :

  1. Create your own root CA
  2. Create your own intermediate CA, who is signed by the root CA
  3. Create your domain specific certificate request, and sign it using the intermediate CA
  4. Upload all the above in CloudStack
  5. Optionally, you will need to add the root CA and intermediate CA in your browser. NOTE that if you created the above using openssl on your machine, they would exist in the OS as well. Hence, a good way to test it is to create the above on a different machine.

For step 1 : https://jamielinux.com/articles/2013/08/act-as-your-own-certificate-authority/

For step 2: https://jamielinux.com/articles/2013/08/create-an-intermediate-certificate-authority/   (BEWARE of a typo in the blog. Refer to the comments section below it)

For step 3: https://jamielinux.com/articles/2013/08/create-and-sign-ssl-certificates-certificate-authority/

For step 4 : http://www.chipchilders.com/blog/2013/1/2/undocumented-feature-using-certificate-chains-in-cloudstack.html  (You may also use CloudMonkey instead of the python API mentioned)

For step 5 : Follow your browser / OS specific steps.

Obtaining certificate for testing

There are free trial certificates available for testing things out. Unfortunately, they don't allow for a wilcard-certificate. Hence, to do some testing you can :

Step 1 : Set-up your CloudStack environment - zones etc.

Step 2 : Obtain the public IP of your SSVM to act as source for all operations - say 10.10.10.10

Step 3 : Generate a CSR using openssl or any other tool, following procedure in admin guide for replacing your own domain. For the CSR, use "10-10-10-10.mytestdomain.com" as the Common Name (replace testdomain with any domain you are using). Use US as country, California as state, Santa Clara as city (or just replace with your favorite state and city - just make sure they are real ones)

Step 4 : Go to http://www.symantec.com/verisign/ssl-certificates# , select Trial version for "Secure Site SSL Certificates"

Step 5 : Give YOUR e-mail ID (certificate will be sent there), use CSR generated in step 3

You should get a certificate in your e-mail. Use the certificate to upload. Note that it is NOT a wild-card certificate, and hence some functionalities like Console Access etc may throw errors. However, from the SSVM whose IP you have used, you should be able to dowload templates and issue copyTemplate command to (i.e. this SSVM as source for copy)

*Please* note that these free certs are signed by a Trial CA authority, and hence not trusted by default. Refer to the additional steps in the e-mail sent by Symantec for details