Corporate Home Open Source Home
Syndicate content
Eucalyptus
Forums » Eucalyptus Community Cloud » Change default SSL Server certificate for WALRUS Service
1 reply [Last post]
Thu, 08/26/2010 - 20:24
hoaxvn
Offline
Joined: 08/26/2010

Do you know how to change the dafault SSL Server Certitifcate of the Walrus service. Currently, the dault CN of the certificate is localhost, and we would like to replace the default one.

Our enviroinment:
Ubuntu: 10.04
Eucalyptus: 1.6.2

I can change the default certificate of the admin web interface publish via https://(host):8443 based on the following guides:
1. >cd $EUCALYPTUS/var/lib/eucalyptus/keys
2. copy the keystore to euca.p12.save
> cp euca.p12 euca.p12.save
3. copy the keystore to an experimental
> cp euca.p12 euca_experimental.p12
4. Delete old self signed key
> keytool -delete -alias db -v -keystore euca_experiment.p12 -storetype pkcs12
5. cut new key Note that YOURFULLYQUALIFIEDDOMAINNAME is something like http://www.yahoo.com
> keytool -v -keystore euca_experiment.p12 -storetype pkcs12 -genkeypair -dname "cn=YOURFULLYQUALIFIEDDOMAINNAME, ou=YOURORGANIZATIONUNIT, o=YOURORGANIZATION, c=YOURCOUNTRY, l=YOURTOWN, st=YOURSTATE" -alias db -validity 365 -keyalg RSA -keysize 2048
6. Gen certificate signing request
> keytool -v -keystore euca_experiment.p12 -storetype pkcs12 -alias db -certreq -file myreqest.csr
7. Get it signed by your Certificate Authority(CA). At MIT CSAIL we have our own CA, but you could use Verisign, etc. We will call the response response.pem
8. Convert the pem file to a der file if the CA gives you a pem as the response
> openssl x509 -in response.pem -inform PEM -out response.der -outform DER
9. Add the CA's master keys and sub keys to your trusted chain. Unfortunately, you cannot store this in the euca_experiment.p12 file because p12 files don't seem to be able to. Therefore you can store it in your Java's implementation's cacerts file. Note, that I don't know if you need this step if you are signed by Verisign. We had to do this because we have our own Master CA. The cacerts file is supposed to live in $JAVA_HOME/lib/security/cacerts On our Debian system this is a symbolic link to /etc/ssl/certs/java/cacerts
> keytool -v -keystore $JAVA_HOME/lib/security/cacerts -storetype jks -alias master -importcert -file master.cer
> password 'changeit' (default java one should be ok to use)
If needed:
> keytool -v -keystore $JAVA_HOME/lib/security/cacerts -storetype jks -alias subkey -importcert -file subkey.cer
10. Add your signed cert
> keytool -v -keystore euca_experiment.p12 -storetype pkcs12 -alias db -importcert -file response.der -trustcacerts
11. Stop your cc and cloud
> /etc/init.d/eucalyptus-cc stop
> /etc/init.d/eucalyptus-cloud stop
12. Copy over the new key file
> cp euca_experiment.p12 euca.p12
13. Start your cc and cloud
> /etc/init.d/eucalyptus-cloud start

Sat, 08/28/2010 - 19:15
#1
hoaxvn
Offline
Joined: 08/26/2010
Re:Change default SSL Server certificate for WALRUS Service

I would like to know how to change the default SSL certificate for the service WALRUS exposed through port 8773.

Navigation
User login
Active forum topics
more