I apologize for the delay in responding to this. This is what I have found in my research and testing.
The table in question is "keystore". The table has a few fields (id, name, certificate, key, domain_suffix, seq). 1. The "id" field seems to be just a numerical identifier for the entry, starting at 1 and incrementing from there. If you use the web interface to upload a cert, the row with the "id" of "1" is replaced. From what I have found, using the web interface to upload certs will not add rows to the keystore table, but using the API will. 2. The "name" field is just a label for the entry, and using the API you can specify whatever you want here. If you use the web interface to upload a cert, the field is set to "CPVMCertificate". 3. The "certificate" field holds the actual cert, in PEM format. 4. The "key" field holds the key in PEM format. 5. The "domain_suffix" field holds the domain of the certificate, also referred to as the "common name". 6. The "seq" field is used to set the sequence that the server will read and apply the certificates. The root CA cert should be 1, an intermediate CA cert should be 2, and the domain cert should be 3. If you use the web interface to upload a cert, it sets this field to null. I changed this to a 3 in my case. To modify the table, I just used some UPDATE statements to modify the fields. For the certs and keys in PEM format, I used an actual line break after each line. For example, I pasted the cert into the MySQL command line one line at a time, pressing enter between each, and finally finishing the query with a semicolon at the end of the last line. I'm sure there is a less obtuse method of doing this, but I'm not a DBA :) After manually adding the root and intermediate CAs to the database, I used the web interface to upload the domain cert. I'm not sure if manually adding all of the certs will work, as the API call (that the web interface uses) doesn't simply update the DB, it kicks off other internal operations (system VM reboot at the very least). If anyone has any questions, feel free to ask. -WPR -----Original Message----- From: Nux! [mailto:n...@li.nux.ro] Sent: Saturday, December 14, 2013 11:48 AM To: users@cloudstack.apache.org Subject: RE: Console Proxy Certificate Chain On 13.12.2013 14:20, Billy Ramsay wrote: > I've got this working now. I manually added the root and intermediate > CA certs to the DB as Chiradeep suggested, and then added the domain > cert using the web interface. All is now working properly. > > Thanks! Can you detail which tables/fields you had to modify please? Lucian -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro
