incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Kinsella <...@stratosec.co>
Subject Re: Help Needed: How can I use an SSL certificate that contains an intermediate CA?
Date Wed, 26 Dec 2012 21:33:24 GMT
Chip, didya get this working? I took a quick look in the wiki and didn't see any docs on it

(Sorry all, I'm obviously catching up on some old threads )
John

On Nov 14, 2012, at 1:46 PM, Chip Childers <chip.childers@sungard.com> wrote:

> On Fri, Nov 9, 2012 at 3:06 PM, Edison Su <Edison.su@citrix.com> wrote:
>> 
>> 
>>> -----Original Message-----
>>> From: Chip Childers [mailto:chip.childers@sungard.com]
>>> Sent: Friday, November 09, 2012 10:46 AM
>>> To: cloudstack-dev@incubator.apache.org
>>> Subject: Help Needed: How can I use an SSL certificate that contains an
>>> intermediate CA?
>>> 
>>> Hi all,
>>> 
>>> We're trying to use a certificate that has an intermediate CA in the cert chain
>>> (top level CA > intermediate CA > certificate) for the console proxy. 
Has
>>> anyone documented the correct process for adding a cert chain?  The logic
>>> for the uploadCustomCertificate API call only supports a single cert provided
>>> by a top level CA right now.
>> 
>> 
>> It can support cert chain, by use the id filed in the uploadCustomCertificate api.
>> Id =1 is root ca, 2 is intermediate ca, and so on.
>> 
>>> 
>>> -chip
>> 
> 
> I need some help with where to look next.  So far, I've got this in
> the database (I'm not showing the cert or key fields):
> 
> select id, name, domain_suffix, seq from keystore;
> +----+-----------------+---------------------------+------+
> | id | name            | domain_suffix             | seq  |
> +----+-----------------+---------------------------+------+
> |  1 | CPVMCertificate | console.test.com | NULL |
> |  2 | root            | console.test.com |    1 |
> |  8 | intermediate_ca | console.test.com |    2 |
> +----+-----------------+---------------------------+------+
> 3 rows in set (0.00 sec)
> 
> However, after destroying the CPVM, and waiting for it to regenerate,
> I see that it's still using the realhostip.keystore file.
> 
> Looking at the code, I see that in
> console-proxy/src/com/cloud/consoleproxy/ConsoleProxySecureServerFactoryImpl.java
> there is an expectation for ksBits to be != null in order for an
> alternate keystore file to be used.  That being said, I'm at a loss as
> to how that value is set!
> 
> Help would be appreciated.
> 
> -chip
> 

Stratosec - Secure Infrastructure as a Service
o: 415.315.9385
@johnlkinsella


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message