cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrija Panic <andrija.pa...@gmail.com>
Subject Re: Question: Domain filed on the SSL upload form
Date Thu, 01 Mar 2018 14:22:57 GMT
Thanks Rafael, that seems reasonable. Excellent !

Thx a lot.

On 1 March 2018 at 14:58, Rafael Weingärtner <rafaelweingartner@gmail.com>
wrote:

> Looking at the code, I see that the "domainSuffix" is not validated against
> the certificate commons name. That is why everything works for you. The
> "domainSuffix" is only used for logical stuff inside ACS.
>
> The global parameter is only used to generate the URL to access the
> SSVM/console proxy, which is protected via SSL and use the certificate you
> configured. So, as long as the commons name of the certificate matches the
> global parameter you are good to go.
>
> On Thu, Mar 1, 2018 at 10:49 AM, Andrija Panic <andrija.panic@gmail.com>
> wrote:
>
> > anyone ?
> >
> > On 27 February 2018 at 14:32, Andrija Panic <andrija.panic@gmail.com>
> > wrote:
> >
> > > Hi all,
> > >
> > > I got confused about the domain fields/API parameter that is used when
> > > uploading new SSL, to be used on CPVM and SSVM copy process (this is
> > > domain_suffix in cloud.keystore table)
> > >
> > > Due to some automation, I came across the following scenarios, which
> > WORKS
> > > FINE, but I'm confused as how and why it works.
> > >
> > > New SSL that was issued for " *.domain1.com " was uploaded via API
> (CA,
> > > intermediate, server cert, and the key in pkcs8) - but doman specified
> > > during this SSL upload process was " domain2.com " (so NOT matching
> > > domain of the certificate)
> > >
> > > This causes the cloud.keystore table/rows to have this domain2.com in
> > the
> > > last column next to CA/intermediate/server/key... (this is
> domain_suffix
> > > column)
> > >
> > > But in global config we define " *.domain1.com " as the CERT to be
> used
> > > for CPVM and for securing/encrypting secondary storage copy process
> > between
> > > zones
> > > Same SSL is also used to i.e. download templates etc...
> > >
> > > So it all works fine, but...how ?, when "domain1.com" (instead of "*.
> > > domain2.com") was defined in uploadCertificate GUI/API - i.e. what is
> > the
> > > use of this domain_suffix field at all ?
> > >
> > > Thx,
> > >
> > > --
> > >
> > > Andrija Panić
> > >
> >
> >
> >
> > --
> >
> > Andrija Panić
> >
>
>
>
> --
> Rafael Weingärtner
>



-- 

Andrija Panić

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message