This topic details tasks to configure SSL/TLS for the User-Facing Services (UFS)
If you have more than one host (other than node controllers), note the following:
Eucalyptus uses a PKCS12-format keystore. If you are using a certificate signed by a trusted root CA, perform the following steps.
Enter the following command to convert your trusted certificate and key into an appropriate format:
openssl pkcs12 -export -in [YOURCERT.crt] -inkey [YOURKEY.key] \
-out tmp.p12 -name [key_alias]
The above command will request an export password, which is used in the following steps.
Save a backup of the Eucalyptus keystore, at /var/lib/eucalyptus/keys/euca.p12 . Import your keystore into the Eucalyptus keystore on the UFS:
keytool -importkeystore -srckeystore tmp.p12 -srcstoretype pkcs12 \
-srcstorepass [export_password] -destkeystore /var/lib/eucalyptus/keys/euca.p12 \
-deststoretype pkcs12 -deststorepass eucalyptus -alias [key_alias] -destkeypass eucalyptus
To enable the UFS to use the keystore, perform the following steps in the CLC because the UFS gets all its configuration information from the CLC. Run the following commands on the CLC:
euctl bootstrap.webservices.ssl.server_alias=[key_alias]
To allow user facing services requests on port 443 instead of the default 8773, run the following commands on the CLC:
euctl bootstrap.webservices.port=443