On Fri, Nov 9, 2012 at 3:06 PM, Edison Su <edison...@citrix.com> wrote: > > >> -----Original Message----- >> From: Chip Childers [mailto:chip.child...@sungard.com] >> Sent: Friday, November 09, 2012 10:46 AM >> To: cloudstack-dev@incubator.apache.org >> Subject: Help Needed: How can I use an SSL certificate that contains an >> intermediate CA? >> >> Hi all, >> >> We're trying to use a certificate that has an intermediate CA in the cert >> chain >> (top level CA > intermediate CA > certificate) for the console proxy. Has >> anyone documented the correct process for adding a cert chain? The logic >> for the uploadCustomCertificate API call only supports a single cert provided >> by a top level CA right now. > > > It can support cert chain, by use the id filed in the uploadCustomCertificate > api. > Id =1 is root ca, 2 is intermediate ca, and so on. > >> >> -chip >
I need some help with where to look next. So far, I've got this in the database (I'm not showing the cert or key fields): select id, name, domain_suffix, seq from keystore; +----+-----------------+---------------------------+------+ | id | name | domain_suffix | seq | +----+-----------------+---------------------------+------+ | 1 | CPVMCertificate | console.test.com | NULL | | 2 | root | console.test.com | 1 | | 8 | intermediate_ca | console.test.com | 2 | +----+-----------------+---------------------------+------+ 3 rows in set (0.00 sec) However, after destroying the CPVM, and waiting for it to regenerate, I see that it's still using the realhostip.keystore file. Looking at the code, I see that in console-proxy/src/com/cloud/consoleproxy/ConsoleProxySecureServerFactoryImpl.java there is an expectation for ksBits to be != null in order for an alternate keystore file to be used. That being said, I'm at a loss as to how that value is set! Help would be appreciated. -chip
