en-US/change-console-proxy-ssl-certificate-domain.xml - cloudstack-docs - Git at Google

 <?xml version='1.0' encoding='utf-8' ?>
 <!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
 <!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
 %BOOK_ENTITIES;
 ]>

 <!-- Licensed to the Apache Software Foundation (ASF) under one
  or more contributor license agreements.  See the NOTICE file
  distributed with this work for additional information
  regarding copyright ownership.  The ASF licenses this file
  to you under the Apache License, Version 2.0 (the
  "License"); you may not use this file except in compliance
  with the License.  You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing,
  software distributed under the License is distributed on an
  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  KIND, either express or implied.  See the License for the
  specific language governing permissions and limitations
  under the License.
 -->

 <section id="change-console-proxy-ssl-certificate-domain">
     <title>Changing the Console Proxy SSL Certificate and Domain</title>
     <para>If the administrator prefers, it is possible for the URL of the customer's console session to show a domain other than realhostip.com. The administrator can customize the displayed domain by selecting a different domain and uploading a new SSL certificate and private key. The domain must run a DNS service that is capable of resolving queries for addresses of the form aaa-bbb-ccc-ddd.your.domain to an IPv4 IP address in the form aaa.bbb.ccc.ddd, for example, 202.8.44.1. To change the console proxy domain, SSL certificate, and private key:</para>
     <orderedlist>
         <listitem><para>Set up dynamic name resolution or populate all possible DNS names in your public IP range into your existing DNS server with the format aaa-bbb-ccc-ddd.company.com -> aaa.bbb.ccc.ddd.</para></listitem>
         <listitem><para>Generate the private key and certificate signing request (CSR). When you are using openssl to generate private/public key pairs and CSRs, for the private key that you are going to paste into the &PRODUCT; UI, be sure to convert it into PKCS#8 format.</para>
         <orderedlist numeration="loweralpha">
             <listitem><para>Generate a new 2048-bit private key</para><programlisting>openssl genrsa -des3 -out yourprivate.key 2048</programlisting></listitem>
             <listitem><para>Generate a new certificate CSR</para><programlisting>openssl req -new -key yourprivate.key -out yourcertificate.csr</programlisting></listitem>
             <listitem><para>Head to the website of your favorite trusted Certificate Authority, purchase an SSL certificate, and submit the CSR. You should receive a valid certificate in return</para></listitem>
             <listitem><para>Convert your private key format into PKCS#8 encrypted format.</para><programlisting>openssl pkcs8 -topk8 -in yourprivate.key -out yourprivate.pkcs8.encrypted.key</programlisting></listitem>
             <listitem><para>Convert your PKCS#8 encrypted private key into the PKCS#8 format that is compliant with &PRODUCT;</para><programlisting>openssl pkcs8 -in yourprivate.pkcs8.encrypted.key -out yourprivate.pkcs8.key</programlisting></listitem>
         </orderedlist>
         </listitem>
         <listitem><para>In the Update SSL Certificate screen of the &PRODUCT; UI, paste the following</para>
         <itemizedlist>
             <listitem><para>The Certificate you generated in the previous steps.</para></listitem>
             <listitem><para>The Private key you generated in the previous steps.</para></listitem>
             <listitem><para>The desired new domain name; for example, company.com</para></listitem>
         </itemizedlist>
         </listitem>
         <listitem><para>The desired new domain name; for example, company.com</para><para>This stops all currently running console proxy VMs, then restarts them with the new certificate and key. Users might notice a brief interruption in console availability</para></listitem>
         </orderedlist>
     <para>The Management Server will generate URLs of the form "aaa-bbb-ccc-ddd.company.com" after this change is made. New console requests will be served with the new DNS domain name, certificate, and key</para>
 </section>
	<?xml version='1.0' encoding='utf-8' ?>
	<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
	<!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent">
	%BOOK_ENTITIES;
	]>

	<!-- Licensed to the Apache Software Foundation (ASF) under one
	or more contributor license agreements. See the NOTICE file
	distributed with this work for additional information
	regarding copyright ownership. The ASF licenses this file
	to you under the Apache License, Version 2.0 (the
	"License"); you may not use this file except in compliance
	with the License. You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing,
	software distributed under the License is distributed on an
	"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	KIND, either express or implied. See the License for the
	specific language governing permissions and limitations
	under the License.
	-->

	<section id="change-console-proxy-ssl-certificate-domain">
	<title>Changing the Console Proxy SSL Certificate and Domain</title>
	<para>If the administrator prefers, it is possible for the URL of the customer's console session to show a domain other than realhostip.com. The administrator can customize the displayed domain by selecting a different domain and uploading a new SSL certificate and private key. The domain must run a DNS service that is capable of resolving queries for addresses of the form aaa-bbb-ccc-ddd.your.domain to an IPv4 IP address in the form aaa.bbb.ccc.ddd, for example, 202.8.44.1. To change the console proxy domain, SSL certificate, and private key:</para>
	<orderedlist>
	<listitem><para>Set up dynamic name resolution or populate all possible DNS names in your public IP range into your existing DNS server with the format aaa-bbb-ccc-ddd.company.com -> aaa.bbb.ccc.ddd.</para></listitem>
	<listitem><para>Generate the private key and certificate signing request (CSR). When you are using openssl to generate private/public key pairs and CSRs, for the private key that you are going to paste into the &PRODUCT; UI, be sure to convert it into PKCS#8 format.</para>
	<orderedlist numeration="loweralpha">
	<listitem><para>Generate a new 2048-bit private key</para><programlisting>openssl genrsa -des3 -out yourprivate.key 2048</programlisting></listitem>
	<listitem><para>Generate a new certificate CSR</para><programlisting>openssl req -new -key yourprivate.key -out yourcertificate.csr</programlisting></listitem>
	<listitem><para>Head to the website of your favorite trusted Certificate Authority, purchase an SSL certificate, and submit the CSR. You should receive a valid certificate in return</para></listitem>
	<listitem><para>Convert your private key format into PKCS#8 encrypted format.</para><programlisting>openssl pkcs8 -topk8 -in yourprivate.key -out yourprivate.pkcs8.encrypted.key</programlisting></listitem>
	<listitem><para>Convert your PKCS#8 encrypted private key into the PKCS#8 format that is compliant with &PRODUCT;</para><programlisting>openssl pkcs8 -in yourprivate.pkcs8.encrypted.key -out yourprivate.pkcs8.key</programlisting></listitem>
	</orderedlist>
	</listitem>
	<listitem><para>In the Update SSL Certificate screen of the &PRODUCT; UI, paste the following</para>
	<itemizedlist>
	<listitem><para>The Certificate you generated in the previous steps.</para></listitem>
	<listitem><para>The Private key you generated in the previous steps.</para></listitem>
	<listitem><para>The desired new domain name; for example, company.com</para></listitem>
	</itemizedlist>
	</listitem>
	<listitem><para>The desired new domain name; for example, company.com</para><para>This stops all currently running console proxy VMs, then restarts them with the new certificate and key. Users might notice a brief interruption in console availability</para></listitem>
	</orderedlist>
	<para>The Management Server will generate URLs of the form "aaa-bbb-ccc-ddd.company.com" after this change is made. New console requests will be served with the new DNS domain name, certificate, and key</para>
	</section>