| <?xml version='1.0' encoding='utf-8' ?> |
| <!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ |
| <!ENTITY % BOOK_ENTITIES SYSTEM "cloudstack.ent"> |
| %BOOK_ENTITIES; |
| ]> |
| |
| <!-- Licensed to the Apache Software Foundation (ASF) under one |
| or more contributor license agreements. See the NOTICE file |
| distributed with this work for additional information |
| regarding copyright ownership. The ASF licenses this file |
| to you under the Apache License, Version 2.0 (the |
| "License"); you may not use this file except in compliance |
| with the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, |
| software distributed under the License is distributed on an |
| "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| KIND, either express or implied. See the License for the |
| specific language governing permissions and limitations |
| under the License. |
| --> |
| |
| <section id="change-console-proxy-ssl-certificate-domain"> |
| <title>Changing the Console Proxy SSL Certificate and Domain</title> |
| <para>If the administrator prefers, it is possible for the URL of the customer's console session to show a domain other than realhostip.com. The administrator can customize the displayed domain by selecting a different domain and uploading a new SSL certificate and private key. The domain must run a DNS service that is capable of resolving queries for addresses of the form aaa-bbb-ccc-ddd.your.domain to an IPv4 IP address in the form aaa.bbb.ccc.ddd, for example, 202.8.44.1. To change the console proxy domain, SSL certificate, and private key:</para> |
| <orderedlist> |
| <listitem><para>Set up dynamic name resolution or populate all possible DNS names in your public IP range into your existing DNS server with the format aaa-bbb-ccc-ddd.company.com -> aaa.bbb.ccc.ddd.</para></listitem> |
| <listitem><para>Generate the private key and certificate signing request (CSR). When you are using openssl to generate private/public key pairs and CSRs, for the private key that you are going to paste into the &PRODUCT; UI, be sure to convert it into PKCS#8 format.</para> |
| <orderedlist numeration="loweralpha"> |
| <listitem><para>Generate a new 2048-bit private key</para><programlisting>openssl genrsa -des3 -out yourprivate.key 2048</programlisting></listitem> |
| <listitem><para>Generate a new certificate CSR</para><programlisting>openssl req -new -key yourprivate.key -out yourcertificate.csr</programlisting></listitem> |
| <listitem><para>Head to the website of your favorite trusted Certificate Authority, purchase an SSL certificate, and submit the CSR. You should receive a valid certificate in return</para></listitem> |
| <listitem><para>Convert your private key format into PKCS#8 encrypted format.</para><programlisting>openssl pkcs8 -topk8 -in yourprivate.key -out yourprivate.pkcs8.encrypted.key</programlisting></listitem> |
| <listitem><para>Convert your PKCS#8 encrypted private key into the PKCS#8 format that is compliant with &PRODUCT;</para><programlisting>openssl pkcs8 -in yourprivate.pkcs8.encrypted.key -out yourprivate.pkcs8.key</programlisting></listitem> |
| </orderedlist> |
| </listitem> |
| <listitem><para>In the Update SSL Certificate screen of the &PRODUCT; UI, paste the following</para> |
| <itemizedlist> |
| <listitem><para>The Certificate you generated in the previous steps.</para></listitem> |
| <listitem><para>The Private key you generated in the previous steps.</para></listitem> |
| <listitem><para>The desired new domain name; for example, company.com</para></listitem> |
| </itemizedlist> |
| </listitem> |
| <listitem><para>The desired new domain name; for example, company.com</para><para>This stops all currently running console proxy VMs, then restarts them with the new certificate and key. Users might notice a brief interruption in console availability</para></listitem> |
| </orderedlist> |
| <para>The Management Server will generate URLs of the form "aaa-bbb-ccc-ddd.company.com" after this change is made. New console requests will be served with the new DNS domain name, certificate, and key</para> |
| </section> |