My experience with 4.1.1 is that PEM format is correct. However, unless it has
been corrected, you cannot upload an entire certificate chain using the GUI. In
a past email I outlined the steps I used and my experiences with adding a
custom SSL chain to ACS for the console proxy. Below is the content of that
message:
I've got this working now. I manually added the root and intermediate CA certs
to the DB as Chiradeep suggested, and then added the domain cert using the web
interface.
This is what I have found in my research and testing.
The table in question is "keystore". The table has a few fields (id, name,
certificate, key, domain_suffix, seq).
1. The "id" field seems to be just a numerical identifier for the entry,
starting at 1 and incrementing from there. If you use the web interface to
upload a cert, the row with the "id" of "1" is replaced. From what I have
found, using the web interface to upload certs will not add rows to the
keystore table, but using the API will.
2. The "name" field is just a label for the entry, and using the API you can
specify whatever you want here. If you use the web interface to upload a cert,
the field is set to "CPVMCertificate".
3. The "certificate" field holds the actual cert, in PEM format.
4. The "key" field holds the key in PEM format.
5. The "domain_suffix" field holds the domain of the certificate, also referred
to as the "common name".
6. The "seq" field is used to set the sequence that the server will read and
apply the certificates. The root CA cert should be 1, an intermediate CA cert
should be 2, and the domain cert should be 3. If you use the web interface to
upload a cert, it sets this field to null. I changed this to a 3 in my case.
To modify the table, I just used some UPDATE statements to modify the fields.
For the certs and keys in PEM format, I used an actual line break after each
line. For example, I pasted the cert into the MySQL command line one line at a
time, pressing enter between each, and finally finishing the query with a
semicolon at the end of the last line. I'm sure there is a less obtuse method
of doing this, but I'm not a DBA :)
After manually adding the root and intermediate CAs to the database, I used the
web interface to upload the domain cert. I'm not sure if manually adding all of
the certs will work, as the API call (that the web interface uses) doesn't
simply update the DB, it kicks off other internal operations (system VM reboot
at the very least).
If anyone has any questions, feel free to ask.
-WPR
-Original Message-
From: Nux! [mailto:n...@li.nux.ro]
Sent: Friday, February 28, 2014 7:23 AM
To: d...@cloudstack.apache.org
Cc: Users
Subject: Changing the SSL certificate for my own realhostip
Hi,
I'm trying to implement my own realhostip and I have a problem with adding the
certificate.
What I have is a Comodo wildcard ca_bundle, crt and key in pem format (for use
with Apache HTTPD) and Cloudstack is asking for "X.509 compliant SSL
certificate" and "PKCS#8 Private Key". I have never used these formats and seem
to be popular within the java world. I tried converting what I had from pem to
der (pkcs8?) format[1], but what I get is some binary .der file that's
"illegible" and can't really be copy-pased into the UI.
Can someone advise on what steps I should take to get my SSL certs into ACS?
I'm on 4.3.0 rev 4440.
Regards,
Lucian
[1]
cat ca_bundle.crt certificate.crt > certificate.pem openssl x509 -outform der
-in certificate.pem -out certificate.der
--
Sent from the Delta quadrant using Borg technology!
Nux!
www.nux.ro
