You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Kelven Yang <ke...@citrix.com> on 2012/09/21 20:07:52 UTC
FW: realhostip certificate role in Cloudstack
Post on user list and hope the information is helpful
Kelven
On 9/21/12 10:26 AM, "Kelven Yang" <ke...@citrix.com> wrote:
>Periodically we get questions asking about what realhostip DNS name is
>exactly doing in CloudStack. Realhostip.com domain exists to make HTTPS
>work across all CloudStack installations in different customer sites,
>without administrators to worry about how to load a SSL certificate due to
>deployment environment changes.
>
>SSL certificates are used in CloudStack system VMs to host HTTPS
>connections, for example, console proxy VM and Secondary storage VM, both
>uses it in its HTTP server. Realhostip.com SSL certificate is signed with
>wild-match addresses, all DNS names under *.realhostip.com are qualified
>to use the certificate. Because of the fact that every CloudStack customer
>has its own environment, every each one has their own sets of system VMs
>in their installations and each system VM instance has their own sets of
>IP addresses. To use ONE certificate to apply for all these instances
>among different customers, we came out with a solution by providing
>dynamic DNS service hosted by CloudStack, the DDNS service basically
>translates following form of DNS names to IP addresses
>
>xxx-xxx-xxx-xxx.realhostip.com to IP address xxx.xxx.xxx.xxx
>
>CloudStack has control of IP address in each installation, so whenever we
>need a SSL certificate, does not matter which customer is running the
>installation, with such DDNS service is available, we can always assign it
>a suffix under realhostip.com domain on top of ever-changing IP addresses,
>this is the trick we play to make ONE SSL certificate applicable
>universally among all CloudStack installations.
>
>In most of these cases, the ugly formed DNS name is not visible to end
>users, since its main purpose is to help establish secure communication
>channel (not truly to certify a site), however, there are cases that
>customer may do care, therefore, Console proxy VM does provide
>customizable way for users to use their own SSL certificates
>
>Kelven
>