mirror of
https://github.com/apache/cloudstack.git
synced 2025-12-19 12:03:50 +01:00
115 lines
4.4 KiB
XML
115 lines
4.4 KiB
XML
<?xml version='1.0' encoding='utf-8' ?>
|
|
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
|
<!ENTITY % BOOK_ENTITIES SYSTEM "Release_Notes.ent">
|
|
%BOOK_ENTITIES;
|
|
]>
|
|
<section id="change-console-proxy-ssl-certificate-domain" lang="en-US">
|
|
<!-- Licensed to the Apache Software Foundation (ASF) under one
|
|
or more contributor license agreements. See the NOTICE file
|
|
distributed with this work for additional information
|
|
regarding copyright ownership. The ASF licenses this file
|
|
to you under the Apache License, Version 2.0 (the
|
|
"License"); you may not use this file except in compliance
|
|
with the License. You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing,
|
|
software distributed under the License is distributed on an
|
|
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
KIND, either express or implied. See the License for the
|
|
specific language governing permissions and limitations
|
|
under the License.
|
|
--> <title>Changing the Console Proxy SSL Certificate and Domain</title>
|
|
<para>
|
|
If the administrator prefers, it is possible for the URL of the customer's console session to show a domain other than realhostip.com. The administrator can customize the displayed domain by selecting a different domain and uploading a new SSL certificate and private key. The domain must run a DNS service that is capable of resolving queries for addresses of the form aaa-bbb-ccc-ddd.your.domain to an IPv4 IP address in the form aaa.bbb.ccc.ddd, for example, 202.8.44.1. To change the console proxy domain, SSL certificate, and private key:
|
|
</para>
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>
|
|
Set up dynamic name resolution or populate all possible DNS names in your public IP range into your existing DNS server with the format aaa-bbb-ccc-ddd.company.com -> aaa.bbb.ccc.ddd.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Generate the private key and certificate signing request (CSR). When you are using openssl to generate private/public key pairs and CSRs, for the private key that you are going to paste into the &PRODUCT; UI, be sure to convert it into PKCS#8 format.
|
|
</para>
|
|
<orderedlist numeration="loweralpha">
|
|
<listitem>
|
|
<para>
|
|
Generate a new 2048-bit private key
|
|
</para>
|
|
|
|
<programlisting>openssl genrsa -des3 -out yourprivate.key 2048</programlisting>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Generate a new certificate CSR
|
|
</para>
|
|
|
|
<programlisting>openssl req -new -key yourprivate.key -out yourcertificate.csr</programlisting>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Head to the website of your favorite trusted Certificate Authority, purchase an SSL certificate, and submit the CSR. You should receive a valid certificate in return
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Convert your private key format into PKCS#8 encrypted format.
|
|
</para>
|
|
|
|
<programlisting>openssl pkcs8 -topk8 -in yourprivate.key -out yourprivate.pkcs8.encryped.key</programlisting>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Convert your PKCS#8 encrypted private key into the PKCS#8 format that is compliant with &PRODUCT;
|
|
</para>
|
|
|
|
<programlisting>openssl pkcs8 -in yourprivate.pkcs8.encrypted.key -out yourprivate.pkcs8.key</programlisting>
|
|
</listitem>
|
|
|
|
</orderedlist>
|
|
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
In the Update SSL Certificate screen of the &PRODUCT; UI, paste the following
|
|
</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
Certificate from step 1(c).
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Private key from step 1(e).
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The desired new domain name; for example, company.com
|
|
</para>
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The desired new domain name; for example, company.com
|
|
</para>
|
|
<para>
|
|
This stops all currently running console proxy VMs, then restarts them with the new certificate and key. Users might notice a brief interruption in console availability
|
|
</para>
|
|
</listitem>
|
|
|
|
</orderedlist>
|
|
<para>
|
|
The Management Server will generate URLs of the form "aaa-bbb-ccc-ddd.company.com" after this change is made. New console requests will be served with the new DNS domain name, certificate, and key
|
|
</para>
|
|
</section>
|
|
|
|
|