Skip to content

CP-53747 document PEM/Certificate relation #6329

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 5, 2025
Merged

CP-53747 document PEM/Certificate relation #6329

merged 1 commit into from
Mar 5, 2025
+111 −0

Conversation

lindig
Copy link
Contributor

@lindig lindig commented Feb 27, 2025

Add documention for the various PEM files found in a XenServer installation.

@lindig lindig requested a review from psafont February 27, 2025 16:51
psafont
psafont reviewed Feb 27, 2025
View reviewed changes
psafont
psafont reviewed Feb 27, 2025
View reviewed changes
doc/content/xapi/internals/certificates.md

User-installed certificates; they are not essential for the operation of
a pool from Xapi's perspective. They make stunnel aware of certificates
used by clients when using HTTPS for API calls.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They are used to connect to WLB

psafont
psafont reviewed Feb 27, 2025
View reviewed changes
doc/content/xapi/internals/certificates.md
* `Pool.install_ca_certificate`
* `Pool.uninstall_ca_certificate`
* `xe pool-certificate-sync` explicitly distribute these certificates in
the pool.
Copy link
Member

@psafont psafont Feb 27, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Xapi is able to use client certificates as well to accept incoming connections, although not in use anymore. They were used for the cloud project

psafont
psafont reviewed Mar 4, 2025
View reviewed changes
changlei-li
changlei-li approved these changes Mar 5, 2025
View reviewed changes
doc/content/xapi/internals/certificates.md
* `xe host-server-certificate-install` XE command to replace the
certificate.
* See below for xapi-stunnel-ca-bundle for additional certificates that
can be added to a pool in support of a user-supplied host certificate.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the user-supplied host certificate the same to user-installed in L97 and user-provided in L110. If yes, suggest using the same word.

doc/content/xapi/internals/certificates.md
* bundle of public keys provided by a user
* constructed from PEM files in `certs/`
* `/opt/xensource/bin/update-ca-bundle.sh` generates the bundle from PEM files
* Updated by a user using `xe pool-install-ca-certificate`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where is the pool-install-ca-certificate pem stored?

CP-53747 document PEM/Certificate relation
4c1777e 
Add documention for the various PEM files found in a XenServer
installation.

Signed-off-by: Christian Lindig <christian.lindig@cloud.com>
@lindig lindig force-pushed the private/christianlin/CP-53747 branch from a577aa8 to 4c1777e Compare March 5, 2025 10:03
@lindig lindig added this pull request to the merge queue Mar 5, 2025
Merged via the queue into xapi-project:master with commit 198b021 Mar 5, 2025
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@psafont psafont psafont approved these changes

@changlei-li changlei-li changlei-li approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lindig @psafont @changlei-li