incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Noah Slater <>
Subject Re: realhostip certificate role in Cloudstack
Date Sun, 30 Sep 2012 16:20:14 GMT
Perhaps stick this on the wiki too.

On Fri, Sep 21, 2012 at 6:26 PM, Kelven Yang <> wrote:

> Periodically we get questions asking about what realhostip DNS name is
> exactly doing in CloudStack. domain exists to make HTTPS
> work across all CloudStack installations in different customer sites,
> without administrators to worry about how to load a SSL certificate due to
> deployment environment changes.
> SSL certificates are used in CloudStack system VMs to host HTTPS
> connections, for example, console proxy VM and Secondary storage VM, both
> uses it in its HTTP server. SSL certificate is signed with
> wild-match addresses, all DNS names under * are qualified
> to use the certificate. Because of the fact that every CloudStack customer
> has its own environment, every each one has their own sets of system VMs
> in their installations and each system VM instance has their own sets of
> IP addresses. To use ONE certificate to apply for all these instances
> among different customers, we came out with a solution by providing
> dynamic DNS service hosted by CloudStack, the DDNS service basically
> translates following form of DNS names to IP addresses
> to IP address
> CloudStack has control of IP address in each installation, so whenever we
> need a SSL certificate, does not matter which customer is running the
> installation, with such DDNS service is available, we can always assign it
> a suffix under domain on top of ever-changing IP addresses,
> this is the trick we play to make ONE SSL certificate applicable
> universally among all CloudStack installations.
> In most of these cases, the ugly formed DNS name is not visible to end
> users, since its main purpose is to help establish secure communication
> channel (not truly to certify a site), however, there are cases that
> customer may do care, therefore, Console proxy VM does provide
> customizable way for users to use their own SSL certificates
> Kelven


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message