incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kelven Yang <kelven.y...@citrix.com>
Subject realhostip certificate role in Cloudstack
Date Fri, 21 Sep 2012 17:26:30 GMT
Periodically we get questions asking about what realhostip DNS name is
exactly doing in CloudStack. Realhostip.com domain exists to make HTTPS
work across all CloudStack installations in different customer sites,
without administrators to worry about how to load a SSL certificate due to
deployment environment changes.

SSL certificates are used in CloudStack system VMs to host HTTPS
connections, for example, console proxy VM and Secondary storage VM, both
uses it in its HTTP server. Realhostip.com SSL certificate is signed with
wild-match addresses, all DNS names under *.realhostip.com are qualified
to use the certificate. Because of the fact that every CloudStack customer
has its own environment, every each one has their own sets of system VMs
in their installations and each system VM instance has their own sets of
IP addresses. To use ONE certificate to apply for all these instances
among different customers, we came out with a solution by providing
dynamic DNS service hosted by CloudStack, the DDNS service basically
translates following form of DNS names to IP addresses

xxx-xxx-xxx-xxx.realhostip.com to IP address xxx.xxx.xxx.xxx

CloudStack has control of IP address in each installation, so whenever we
need a SSL certificate, does not matter which customer is running the
installation, with such DDNS service is available, we can always assign it
a suffix under realhostip.com domain on top of ever-changing IP addresses,
this is the trick we play to make ONE SSL certificate applicable
universally among all CloudStack installations.

In most of these cases, the ugly formed DNS name is not visible to end
users, since its main purpose is to help establish secure communication
channel (not truly to certify a site), however, there are cases that
customer may do care, therefore, Console proxy VM does provide
customizable way for users to use their own SSL certificates

Kelven


Mime
View raw message