cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chip Childers <chip.child...@sungard.com>
Subject Re: Help Needed: How can I use an SSL certificate that contains an intermediate CA?
Date Thu, 27 Dec 2012 00:51:03 GMT
On Dec 26, 2012, at 4:34 PM, John Kinsella <jlk@stratosec.co> wrote:

> Chip, didya get this working? I took a quick look in the wiki and didn't see any docs
on it

I did actually. My problem boiled down to the client library I was
using hadn't been updated to match the server side API's desire to use
"+" as the space char.

Edison's instructions work.

>
> (Sorry all, I'm obviously catching up on some old threads )
> John
>
> On Nov 14, 2012, at 1:46 PM, Chip Childers <chip.childers@sungard.com> wrote:
>
>> On Fri, Nov 9, 2012 at 3:06 PM, Edison Su <Edison.su@citrix.com> wrote:
>>>
>>>
>>>> -----Original Message-----
>>>> From: Chip Childers [mailto:chip.childers@sungard.com]
>>>> Sent: Friday, November 09, 2012 10:46 AM
>>>> To: cloudstack-dev@incubator.apache.org
>>>> Subject: Help Needed: How can I use an SSL certificate that contains an
>>>> intermediate CA?
>>>>
>>>> Hi all,
>>>>
>>>> We're trying to use a certificate that has an intermediate CA in the cert
chain
>>>> (top level CA > intermediate CA > certificate) for the console proxy.
 Has
>>>> anyone documented the correct process for adding a cert chain?  The logic
>>>> for the uploadCustomCertificate API call only supports a single cert provided
>>>> by a top level CA right now.
>>>
>>>
>>> It can support cert chain, by use the id filed in the uploadCustomCertificate
api.
>>> Id =1 is root ca, 2 is intermediate ca, and so on.
>>>
>>>>
>>>> -chip
>>
>> I need some help with where to look next.  So far, I've got this in
>> the database (I'm not showing the cert or key fields):
>>
>> select id, name, domain_suffix, seq from keystore;
>> +----+-----------------+---------------------------+------+
>> | id | name            | domain_suffix             | seq  |
>> +----+-----------------+---------------------------+------+
>> |  1 | CPVMCertificate | console.test.com | NULL |
>> |  2 | root            | console.test.com |    1 |
>> |  8 | intermediate_ca | console.test.com |    2 |
>> +----+-----------------+---------------------------+------+
>> 3 rows in set (0.00 sec)
>>
>> However, after destroying the CPVM, and waiting for it to regenerate,
>> I see that it's still using the realhostip.keystore file.
>>
>> Looking at the code, I see that in
>> console-proxy/src/com/cloud/consoleproxy/ConsoleProxySecureServerFactoryImpl.java
>> there is an expectation for ksBits to be != null in order for an
>> alternate keystore file to be used.  That being said, I'm at a loss as
>> to how that value is set!
>>
>> Help would be appreciated.
>>
>> -chip
>
> Stratosec - Secure Infrastructure as a Service
> o: 415.315.9385
> @johnlkinsella
>

Mime
View raw message