cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kelven Yang <>
Subject FW: realhostip certificate role in Cloudstack
Date Fri, 21 Sep 2012 18:07:52 GMT
Post on user list and hope the information is helpful


On 9/21/12 10:26 AM, "Kelven Yang" <> wrote:

>Periodically we get questions asking about what realhostip DNS name is
>exactly doing in CloudStack. domain exists to make HTTPS
>work across all CloudStack installations in different customer sites,
>without administrators to worry about how to load a SSL certificate due to
>deployment environment changes.
>SSL certificates are used in CloudStack system VMs to host HTTPS
>connections, for example, console proxy VM and Secondary storage VM, both
>uses it in its HTTP server. SSL certificate is signed with
>wild-match addresses, all DNS names under * are qualified
>to use the certificate. Because of the fact that every CloudStack customer
>has its own environment, every each one has their own sets of system VMs
>in their installations and each system VM instance has their own sets of
>IP addresses. To use ONE certificate to apply for all these instances
>among different customers, we came out with a solution by providing
>dynamic DNS service hosted by CloudStack, the DDNS service basically
>translates following form of DNS names to IP addresses
> to IP address
>CloudStack has control of IP address in each installation, so whenever we
>need a SSL certificate, does not matter which customer is running the
>installation, with such DDNS service is available, we can always assign it
>a suffix under domain on top of ever-changing IP addresses,
>this is the trick we play to make ONE SSL certificate applicable
>universally among all CloudStack installations.
>In most of these cases, the ugly formed DNS name is not visible to end
>users, since its main purpose is to help establish secure communication
>channel (not truly to certify a site), however, there are cases that
>customer may do care, therefore, Console proxy VM does provide
>customizable way for users to use their own SSL certificates

View raw message