incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chip Childers <chip.child...@sungard.com>
Subject Re: Help Needed: How can I use an SSL certificate that contains an intermediate CA?
Date Wed, 14 Nov 2012 21:46:38 GMT
On Fri, Nov 9, 2012 at 3:06 PM, Edison Su <Edison.su@citrix.com> wrote:
>
>
>> -----Original Message-----
>> From: Chip Childers [mailto:chip.childers@sungard.com]
>> Sent: Friday, November 09, 2012 10:46 AM
>> To: cloudstack-dev@incubator.apache.org
>> Subject: Help Needed: How can I use an SSL certificate that contains an
>> intermediate CA?
>>
>> Hi all,
>>
>> We're trying to use a certificate that has an intermediate CA in the cert chain
>> (top level CA > intermediate CA > certificate) for the console proxy.  Has
>> anyone documented the correct process for adding a cert chain?  The logic
>> for the uploadCustomCertificate API call only supports a single cert provided
>> by a top level CA right now.
>
>
> It can support cert chain, by use the id filed in the uploadCustomCertificate api.
> Id =1 is root ca, 2 is intermediate ca, and so on.
>
>>
>> -chip
>

I need some help with where to look next.  So far, I've got this in
the database (I'm not showing the cert or key fields):

select id, name, domain_suffix, seq from keystore;
+----+-----------------+---------------------------+------+
| id | name            | domain_suffix             | seq  |
+----+-----------------+---------------------------+------+
|  1 | CPVMCertificate | console.test.com | NULL |
|  2 | root            | console.test.com |    1 |
|  8 | intermediate_ca | console.test.com |    2 |
+----+-----------------+---------------------------+------+
3 rows in set (0.00 sec)

However, after destroying the CPVM, and waiting for it to regenerate,
I see that it's still using the realhostip.keystore file.

Looking at the code, I see that in
console-proxy/src/com/cloud/consoleproxy/ConsoleProxySecureServerFactoryImpl.java
there is an expectation for ksBits to be != null in order for an
alternate keystore file to be used.  That being said, I'm at a loss as
to how that value is set!

Help would be appreciated.

-chip

Mime
View raw message