My experience with 4.1.1 is that PEM format is correct. However, unless it has been corrected, you cannot upload an entire certificate chain using the GUI. In a past email I outlined the steps I used and my experiences with adding a custom SSL chain to ACS for the console proxy. Below is the content of that message:
I've got this working now. I manually added the root and intermediate CA certs to the DB as Chiradeep suggested, and then added the domain cert using the web interface. This is what I have found in my research and testing. The table in question is "keystore". The table has a few fields (id, name, certificate, key, domain_suffix, seq). 1. The "id" field seems to be just a numerical identifier for the entry, starting at 1 and incrementing from there. If you use the web interface to upload a cert, the row with the "id" of "1" is replaced. From what I have found, using the web interface to upload certs will not add rows to the keystore table, but using the API will. 2. The "name" field is just a label for the entry, and using the API you can specify whatever you want here. If you use the web interface to upload a cert, the field is set to "CPVMCertificate". 3. The "certificate" field holds the actual cert, in PEM format. 4. The "key" field holds the key in PEM format. 5. The "domain_suffix" field holds the domain of the certificate, also referred to as the "common name". 6. The "seq" field is used to set the sequence that the server will read and apply the certificates. The root CA cert should be 1, an intermediate CA cert should be 2, and the domain cert should be 3. If you use the web interface to upload a cert, it sets this field to null. I changed this to a 3 in my case. To modify the table, I just used some UPDATE statements to modify the fields. For the certs and keys in PEM format, I used an actual line break after each line. For example, I pasted the cert into the MySQL command line one line at a time, pressing enter between each, and finally finishing the query with a semicolon at the end of the last line. I'm sure there is a less obtuse method of doing this, but I'm not a DBA :) After manually adding the root and intermediate CAs to the database, I used the web interface to upload the domain cert. I'm not sure if manually adding all of the certs will work, as the API call (that the web interface uses) doesn't simply update the DB, it kicks off other internal operations (system VM reboot at the very least). If anyone has any questions, feel free to ask. -WPR -----Original Message----- From: Nux! [mailto:n...@li.nux.ro] Sent: Friday, February 28, 2014 7:23 AM To: d...@cloudstack.apache.org Cc: Users Subject: Changing the SSL certificate for my own realhostip Hi, I'm trying to implement my own realhostip and I have a problem with adding the certificate. What I have is a Comodo wildcard ca_bundle, crt and key in pem format (for use with Apache HTTPD) and Cloudstack is asking for "X.509 compliant SSL certificate" and "PKCS#8 Private Key". I have never used these formats and seem to be popular within the java world. I tried converting what I had from pem to der (pkcs8?) format[1], but what I get is some binary .der file that's "illegible" and can't really be copy-pased into the UI. Can someone advise on what steps I should take to get my SSL certs into ACS? I'm on 4.3.0 rev 4440. Regards, Lucian [1] cat ca_bundle.crt certificate.crt > certificate.pem openssl x509 -outform der -in certificate.pem -out certificate.der -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro