Problem

A self-signed SSL certificate is not acceptable for your organization and a commercial one must be used.

Solution

XenServer supports the replacement of the default SSL certificate with a certified purchase through a trusted certificate authority (CA).

Discussion

In the process of obtaining a signed certificate from a trusted authority, you will need to generate a CSR (certificate signing request). This is generated along with your private key and is a block of text containing encrypted information about your company, location, and contact information for an administrator of the host. The CSR also allows the certificate authority to use this in the generation of a signed, trusted SSL certificate for your XenServer host without the need to exchange your private key.

To generate the CSR and private key for a specific XenServer host, issue the commands in Example 12-1 to store these in the /root/ directory.

# cd /root/
# openssl req -new -nodes -keyout myserver.key 
-out myserver.csr 
-newkey rsa:2048

After sharing the myserver.csr file with a trusted authority, they will return to you a certificate and private key in PEM format. If you are unsure if this format is being followed, contact your trusted authority to confirm this before continuing.

With the signed certificate downloaded, use scp or any secure copy program to copy the certificate .pem file into the /tmp/ directory of your XenServer. Access the command line of the XenServer host. Back up the original self-signed certificate on the XenServer host by issuing the command in Example 12-2.

# mv /etc/xensource/xapi-ssl.pem 
/etc/xensource/xapi-ssl.pem_original

Move and rename your new .pem file, replacing the original with the code in Example 12-3.

# mv /tmp/your_certificate.pem /etc/xensource/xapi-ssl.pem
# chmod 400 /etc/xensource/xapi-ssl.pem

To apply the new certificate, reboot the XenServer host.

Problem

An updated SSL certificate is required to address a potential security concern.

Solution

Create a new SSL certificate on the XenServer host.

Discussion

The following steps, executed from the XenServer host’s command line, will generate a new certificate in the same manner the XenServer installer does. Because the XenServer installer uses a default of 10 years, or 3,650 days, we will also create a 10-year certificate. If a shorter amount of time is required, simply enter the number of days you would like the host’s certificate to be valid, such as 365 (for one year).

Before proceeding, ensure that the current IP address of the XenServer’s management interface is correct for production. If the IP address is changed later on, this will invalidate the certificate and the process will need to be repeated with the new IP.

A quick means to determine the management interface’s IP address is shown in Example 12-4.

# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue 
    state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: xenbr0: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
    state UNKNOWN 
    link/ether b8:ac:6f:85:f4:91 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.20/8 brd 10.0.0.255 scope global xenbr0
       valid_lft forever preferred_lft forever

Execute the script in Example 12-5 to create the new SSL certificate where the CN (certificate name) is set to the primary management IP.

# cd ~
# mkdir cert
# cd cert/
# openssl req -x509 -nodes -days 3650 -subj '/CN=10.0.1.20' 
  -newkey rsa:1024 -keyout new-ssl.pem -out new-ssl.pem
# openssl dhparam 512 >> new-ssl.pem

Execute the script in Example 12-6 to replace the original SSL certificate with this new certificate.

# mv /etc/xensource/xapi-ssl.pem /root/cert/xapi-ssl.pem_original
# mv /root/cert/new-ssl.pem /etc/xensource/xapi-ssl.pem
# chmod 400 /etc/xensource/xapi-ssl.pem

Once complete, reboot the XenServer host to load the new certificate.