cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Billy Ramsay" <>
Subject RE: Changing the SSL certificate for my own realhostip
Date Fri, 28 Feb 2014 13:41:23 GMT
My experience with 4.1.1 is that PEM format is correct. However, unless it has been corrected,
you cannot upload an entire certificate chain using the GUI. In a past email I outlined the
steps I used and my experiences with adding a custom SSL chain to ACS for the console proxy.
Below is the content of that message:

I've got this working now. I manually added the root and intermediate CA certs to the DB as
Chiradeep suggested, and then added the domain cert using the web interface.

This is what I have found in my research and testing.

The table in question is "keystore". The table has a few fields (id, name, certificate, key,
domain_suffix, seq).

1. The "id" field seems to be just a numerical identifier for the entry, starting at 1 and
incrementing from there. If you use the web interface to upload a cert, the row with the "id"
of "1" is replaced. From what I have found, using the web interface to upload certs will not
add rows to the keystore table, but using the API will.
2. The "name" field is just a label for the entry, and using the API you can specify whatever
you want here. If you use the web interface to upload a cert, the field is set to "CPVMCertificate".
3. The "certificate" field holds the actual cert, in PEM format.
4. The "key" field holds the key in PEM format.
5. The "domain_suffix" field holds the domain of the certificate, also referred to as the
"common name".
6. The "seq" field is used to set the sequence that the server will read and apply the certificates.
The root CA cert should be 1, an intermediate CA cert should be 2, and the domain cert should
be 3. If you use the web interface to upload a cert, it sets this field to null. I changed
this to a 3 in my case.

To modify the table, I just used some UPDATE statements to modify the fields. For the certs
and keys in PEM format, I used an actual line break after each line. For example, I pasted
the cert into the MySQL command line one line at a time, pressing enter between each, and
finally finishing the query with a semicolon at the end of the last line. I'm sure there is
a less obtuse method of doing this, but I'm not a DBA :)

After manually adding the root and intermediate CAs to the database, I used the web interface
to upload the domain cert. I'm not sure if manually adding all of the certs will work, as
the API call (that the web interface uses) doesn't simply update the DB, it kicks off other
internal operations (system VM reboot at the very least).

If anyone has any questions, feel free to ask.


-----Original Message-----
From: Nux! [] 
Sent: Friday, February 28, 2014 7:23 AM
Cc: Users
Subject: Changing the SSL certificate for my own realhostip


I'm trying to implement my own realhostip and I have a problem with adding the certificate.

What I have is a Comodo wildcard ca_bundle, crt and key in pem format (for use with Apache
HTTPD) and Cloudstack is asking for "X.509 compliant SSL certificate" and "PKCS#8 Private
Key". I have never used these formats and seem to be popular within the java world. I tried
converting what I had from pem to der (pkcs8?) format[1], but what I get is some binary .der
file that's "illegible" and can't really be copy-pased into the UI.

Can someone advise on what steps I should take to get my SSL certs into ACS? I'm on 4.3.0
rev 4440.


cat ca_bundle.crt certificate.crt > certificate.pem openssl x509 -outform der -in certificate.pem
-out certificate.der

Sent from the Delta quadrant using Borg technology!


View raw message