THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
1)
The SSL certificates are stored in the Keystore table.
So before changing realhost ip domain ,Please take back up of keystore table. So that if any problem occurs during transition to new domain, you can safely revert back immediately with your backed-up details.
2)
Due to security reasons, CloudStack won't support self Signed certificates.So uploaded certificate should be authorized by RootCA or any provider.
3)
Earlier CloudStack used to take care of realhost ip DNS resolution automatically but now end user has to take of Name resolution explicitly for their custom domain.
4)
Make sure System VMs and the corresponding agents are up and running while uploading the
certificates,If they are not up, the existing URL might still be pointing to the obsolete realhostip.com domain.
5) Depending on your requirements perform following settings:
For 4.3>= releases onwards:
- HTTP --> Set the consoleproxy.url.open = empty(i.e clear the existing entries if it exits)
- HTTPS --> Set the consoleproxy.url.open = *.yourdomain.com
Note:IN SSL certificate wizard,while entering the certificate details , The value for "DNS Domain Suffix" should be set as "yourdomain.com" and not as "*.yourdomain.com"( eg:it should be xyz.com)
Note:
After changing from https to http mode , you will still see a problem i.e it will fail to display the console till you destroy the console proxy.
so destroy the system vms after changing from https to http mode so new system vms will be recreated with new settings.
For pre-4.3 releases
config parameter "consoleproxy.url.domain" should be set to "yourdomain.com", and not "*.yourdomain.com" (no asterisk) for pre-4.3 releases
Also Same holds true for secstorage.cert.domain parameter.
6)Upload certificates in the correct order. Use id=1for the first root certificate, then for the subsequent intermediate certificates use id=2, id=3, id=4, and so on.
7)
if you seen ANY java security exception like "" sun.security.provider.certpath.SunCertPathBuilderException: " after uploading certificates ,that means there is probability of missing information as mentioned below:
- Check Uploaded certificates are in right order or not.
- Check Certificates are URL encoded or no
- Check Uploaded SSL Private Key in supported format 'PKCS#8' or not.
- Check the following files in SSVM,CPVM for uploaded certificates are stored properly or not
/etc/ssl/private/cert_apache.key – Server Key File path
/etc/ssl/certs/cert_apache.crt – Server Certificate File path
/etc/ssl/certs/cert_apache_chain.crt – SSL Chain File Path -
-- Also if you don't setup the DNS then you can resolve it temporarily by resolving as DNS (10-10-10-10.domain.com) locally like below:
- in your client's machine put the entries in the /etc/hosts file as below:
- 10.127.20.31 10-127-20-31.realhostip.com here 10.127.20.31 IP --> is your public IP of your console proxy.
How to generate my own certificate :
refer below links :
Root and Server certificates are generated as per the below links (please refer sample example as well)
https://jamielinux.com/articles/2013/08/act-as-your-own-certificate-authority/
https://jamielinux.com/articles/2013/08/create-and-sign-ssl-certificates-certificate-authority/
If you want to create intermediate certificate authrority please refer below
https://jamielinux.com/articles/2013/08/create-an-intermediate-certificate-authority/Note :make sure "common name " is same for all the certificates:
Sample Example: :
********************************************
root@cen62307 CA]# ls
certs crl index.txt newcerts private serial yourprivate.key
[root@cen62307 CA]# openssl genrsa -des3 -out /etc/pki/CA/ca.key.pem 2048
Generating RSA private key, 2048 bit long modulus
........+++
.......................................................................+++
e is 65537 (0x10001)
Enter pass phrase for /etc/pki/CA/ca.key.pem:
Verifying - Enter pass phrase for /etc/pki/CA/ca.key.pem:
[root@cen62307 CA]# openssl genrsa -des3 -out /etc/pki/CA/private/ca.key.pem 2048
Generating RSA private key, 2048 bit long modulus
.............................+++
.......................................+++
e is 65537 (0x10001)
Enter pass phrase for /etc/pki/CA/private/ca.key.pem:
Verifying - Enter pass phrase for /etc/pki/CA/private/ca.key.pem:
[root@cen62307 CA]# chmod 400 /etc/pki/CA/private/ca.key.pem
[root@cen62307 CA]# openssl req -new -x509 -days 3650 -key /etc/pki/CA/private/ca.key.pem -extensions v3_ca -out /etc/pki/CA/certs/ca.cert.pem
Enter pass phrase for /etc/pki/CA/private/ca.key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:GB
State or Province Name (full name) []:london
Locality Name (eg, city) [Default City]:london
Organization Name (eg, company) [Default Company Ltd]:myhoona.org
Organizational Unit Name (eg, section) []:qa
Common Name (eg, your name or your server's hostname) []:*.myhoona.org
Email Address []:suresh.sadhu@citrix.com
[root@cen62307 CA]# chmod 400 /etc/pki/CA/private/myhoona.org.pem
[root@cen62307 CA]# openssl req -new -key /etc/pki/CA/private/myhoona.org.pem -out /etc/pki/CA/certs/myhoona.org.csr.pem^C
[root@cen62307 CA]# cd /etc/pki/CA/private/
[root@cen62307 private]# ls
ca.key.pem myhoona.org.pem
[root@cen62307 private]# openssl req -new -key /etc/pki/CA/private/myhoona.org.pem -out /etc/pki/CA/certs/myhoona.org.csr.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:GB
State or Province Name (full name) []:london
Locality Name (eg, city) [Default City]:london
Organization Name (eg, company) [Default Company Ltd]:myhoona.org
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:*.myhoona.org
Email Address []:mail2sadhu@gmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@cen6230711 private]# cd /etc/pki/CA
[root@cen6230711 CA]# openssl ca -keyfile private/ca.key.pem -cert certs/ca.cert.pem -notext -md sha1 -in certs/myhoona.org.csr.pem -out certs/myhoona.org.cert.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for private/ca.key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0x1000)
Validity
Not Before: Apr 17 14:17:05 2014 GMT
Not After : Apr 17 14:17:05 2015 GMT
Subject:
countryName = GB
stateOrProvinceName = london
organizationName = myhoona.org
commonName = *.myhoona.org
emailAddress = mail2sadhu@gmail.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C1:5E:78:95:C8:49:E3:C2:6A:29:F4:11:BE:B1:64:70:0A:CD:DB:84
X509v3 Authority Key Identifier:
keyid:9C:5C:E4:3D:A1:53:2C:CB:FE:1E:91:A8:E8:A0:CC:28:8B:7A:D10:01
Certificate is to be certified until Apr 17 14:17:05 2015 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
And the key which is generated in first step to be converted in pkc8 format as per the instruction mentioned in the admin guide.
after uploading certificate you will see the entries in cloud keystore db like below
mysql> select id,seq,name,domain_suffix from keystore;
+----+------+-----------------+-------------------+
| id | seq | name | domain_suffix |
+----+------+-----------------+-------------------+
| 1 | NULL | CPVMCertificate | myhoona.org |
| 2 | 0 | root | realhostip.com |
| 7 | 1 | root1 | myhoona.org |
****************************************************************************************
Overview
Content Tools
Apps