GitHub user weizhouapache added a comment to the discussion: Quick question
about keystore (jks) requirement
@dcontiveros-nf
currently when provision a host key, cloudstack will generate a cert/key/jks
for cloudstack-agent.
```
/etc/cloudstack/agent/cloud.ca.crt
/etc/cloudstack/agent/cloud.crt
/etc/cloudstack/agent/cloud.key
```
these are also used by libvirt . you may have noticed in the script
`scripts/util/keystore-cert-import`
- if you want to use self-signed cert for libvirt
it is easy, you just need to remove the symblink and use your own key.
do not forget to remove the `ln -sf` in the script
`scripts/util/keystore-cert-import`
- if you want to use self-signed cert for cloudstack-agent
I think it is possible (but I never tested it)
please bear in mind that the cert/key/jks are generated with a RSA key and a CA
certificate which are generated by ACS, you cannot use your own.
you can find the RSA public/private key and ca certificate by DB query
```
SELECT name,value FROM configuration WHERE name in
('ca.plugin.root.ca.certificate', 'ca.plugin.root.public.key',
'ca.plugin.root.private.key');
```
these values are encrypted by db secret key, you can decrypt the value, please
refer to
https://cwiki.apache.org/confluence/display/CLOUDSTACK/New+database+encryption+cipher+-+AeadBase64Encryptor#NewdatabaseencryptioncipherAeadBase64Encryptor-6.EncryptionCLIincloudstack-utils.jar
- Alternatively, you can add the host at first, then provision a host key
ca.plugin.root.auth.strictness should be false
GitHub link:
https://github.com/apache/cloudstack/discussions/10784#discussioncomment-13011705
----
This is an automatically sent email for users@cloudstack.apache.org.
To unsubscribe, please send an email to: users-unsubscr...@cloudstack.apache.org
