Corporate Home Open Source Home
Syndicate content
Eucalyptus

Table of Contents

Installing CA Signed Certificates on the Web Interface

This document will discuss how to generate a CSR (Certificate Signing Request) from the self-signed certificate within Eucalyptus, and import a CA (Certificate Authority) signed certificate into Eucalyptus. Before we get started, I would like to thank wentzlaf for his how-to on this solution.

Prerequisites

  1. Eucalyptus up and running
  2. Access to a public Certificate Authority for signing web certificates (i.e. Thawte, Verisign, etc.)
  3. Understanding of public key certificates
  4. Linux command-line tools - keytool, openssl

[NOTE] The environment variable $EUCALYPTUS by default is /. If you aren't sure what your $EUCALYPTUS is, just run "echo $EUCALYPTUS". This is important because this is where Eucalyptus is installed. Through the rest of this document $EUCALYPTUS is the default /.

Installing a CA Signed Certificate for the Web Interface

  1. Navigate to the keys directory located under $EUCALYPTUS/var/lib/eucalyptus
    # cd $EUCALYPTUS/var/lib/eucalyptus/keys
  2. Make a copy of the euca.p12 keystore. We do this as a backup.
    # cp euca.p12 euca.p12.save
  3. Make a copy of euca.p12 keystore to our test keystore. This gives us something to start with. In this example, the keystore will be called euca_test.p12
    # cp euca.p12 euca_test.p12
  4. Delete the old self-signed key by using keytool
    # keytool -delete -alias db -v -keystore euca_test.p12 -storetype pkcs12
  5. Create the new key. Make sure that YOURFULLYQUALIFIEDDOMAINNAME is legitimate and in the format of test.something.com.
    # keytool -v -keystore euca_test.p12 -storetype pkcs12 -genkeypair -dname "cn=YOURFULLYQUALIFIEDDOMAINNAME, ou=YOURORGANIZATIONUNIT, o=YOURORGANIZATION, c=YOURCOUNTRY, l=YOURTOWN, st=YOURSTATE" -alias db -validity 365 -keyalg RSA -keysize 2048
  6. Generate a CSR that you will send to the CA to get signed. In this example, the CSR will be named euca_test.csr
    # keytool -v -keystore euca_test.p12 -storetype pkcs12 -alias db -certreq -file euca_test.csr
  7. After the CSR is signed, we create a file called euca_test.pem that has the contents of the signed certificate (X.509 format). We convert euca_test.pem to euca_test.der using openssl since we need DER format for Eucalyptus Web UI.
    # openssl x509 -in euca_test.pem -inform PEM -out euca_test.der -outform DER
  8. Now add the signed certificate using keytool
    # keytool -v -keystore euca_test.p12 -storetype pkcs12 -alias db -importcert -file euca_test.der -trustcacerts
  9. All that is left to do is to get Eucalyptus to recognize the new certificate. To do that, you need to stop the Cluster Controller and Cloud Controller, copy the new key file to euca.p12, then start the Cloud Controller and Cluster Controller.
    # /etc/init.d/eucalyptus-cc stop
    # /etc/init.d/eucalyptus-cloud stop
    # cp euca_test.p12 euca.p12
    # /etc/init.d/eucalyptus-cloud start
    # /etc/init.d/eucalyptus-cc start

    10. Now when you go to (to follow this example) https://test.something.com:8443, you will arrive at the Eucalyptus Web Interface and will not be prompted to accept a certificate. I hope this helps. If anyone has any additional information, please feel free to comment.

    References

    1. keytool
    2. openssl
    3. Public Key Certificate
    4. Eucalyptus Troubleshooting