cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rafael Weingärtner <rafaelweingart...@gmail.com>
Subject Re: Question: Domain filed on the SSL upload form
Date Thu, 01 Mar 2018 13:58:39 GMT
Looking at the code, I see that the "domainSuffix" is not validated against
the certificate commons name. That is why everything works for you. The
"domainSuffix" is only used for logical stuff inside ACS.

The global parameter is only used to generate the URL to access the
SSVM/console proxy, which is protected via SSL and use the certificate you
configured. So, as long as the commons name of the certificate matches the
global parameter you are good to go.

On Thu, Mar 1, 2018 at 10:49 AM, Andrija Panic <andrija.panic@gmail.com>
wrote:

> anyone ?
>
> On 27 February 2018 at 14:32, Andrija Panic <andrija.panic@gmail.com>
> wrote:
>
> > Hi all,
> >
> > I got confused about the domain fields/API parameter that is used when
> > uploading new SSL, to be used on CPVM and SSVM copy process (this is
> > domain_suffix in cloud.keystore table)
> >
> > Due to some automation, I came across the following scenarios, which
> WORKS
> > FINE, but I'm confused as how and why it works.
> >
> > New SSL that was issued for " *.domain1.com " was uploaded via API (CA,
> > intermediate, server cert, and the key in pkcs8) - but doman specified
> > during this SSL upload process was " domain2.com " (so NOT matching
> > domain of the certificate)
> >
> > This causes the cloud.keystore table/rows to have this domain2.com in
> the
> > last column next to CA/intermediate/server/key... (this is domain_suffix
> > column)
> >
> > But in global config we define " *.domain1.com " as the CERT to be used
> > for CPVM and for securing/encrypting secondary storage copy process
> between
> > zones
> > Same SSL is also used to i.e. download templates etc...
> >
> > So it all works fine, but...how ?, when "domain1.com" (instead of "*.
> > domain2.com") was defined in uploadCertificate GUI/API - i.e. what is
> the
> > use of this domain_suffix field at all ?
> >
> > Thx,
> >
> > --
> >
> > Andrija Panić
> >
>
>
>
> --
>
> Andrija Panić
>



-- 
Rafael Weingärtner

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message