|
| 1 | + |
| 2 | ++++ |
| 3 | +title = "Certificates and PEM Files" |
| 4 | ++++ |
| 5 | + |
| 6 | +Xapi uses certificates for secure communication within a pool and with |
| 7 | +external clients. These certificates are using the PEM file format and |
| 8 | +reside in the Dom0 file system. This documents explains the purpose of |
| 9 | +these files. |
| 10 | + |
| 11 | +## Design Documents |
| 12 | + |
| 13 | +* [Pool Certificates](../../design/pool-certificates.md) |
| 14 | +* [User Certificates](../../design/user-certificates.md) |
| 15 | + |
| 16 | +## Paths |
| 17 | + |
| 18 | +Below are paths used by Xapi for certificates; additional certficates |
| 19 | +may be installed but they are not fundamental for Xapi's operation. |
| 20 | + |
| 21 | +``` |
| 22 | +/etc/xensource/xapi-ssl.pem |
| 23 | +/etc/xensource/xapi-pool-tls.pem |
| 24 | +/etc/stunnel/certs-pool/1c111a1f-412e-47c0-9003-60789b839bc3.pem |
| 25 | +/etc/stunnel/certs-pool/960abfff-6017-4d97-bd56-0a8f1a43e51a.pem |
| 26 | +/etc/stunnel/xapi-stunnel-ca-bundle.pem |
| 27 | +/etc/stunnel/certs/ |
| 28 | +/etc/stunnel/xapi-pool-ca-bundle.pem |
| 29 | +``` |
| 30 | + |
| 31 | + |
| 32 | +## Fundamental Certificates |
| 33 | + |
| 34 | +Certificates that identify a host. These certificates are comprised of |
| 35 | +both a private and a public key. The public key may be distributed to |
| 36 | +other hosts. |
| 37 | + |
| 38 | +### xapi-ssl.pem |
| 39 | + |
| 40 | +This certificate identifies a host for extra-pool clients. |
| 41 | + |
| 42 | +This is the certificate used by the API HTTPS server that clients like |
| 43 | +XenCenter or CVAD connect to. On installation of XenServer it is auto |
| 44 | +generated but can be updated by a user using the API. This is the most |
| 45 | +important certificate for a user to establish an HTTPS connection to a |
| 46 | +pool or host to be used as an API. |
| 47 | + |
| 48 | +* /etc/xensource/xapi-ssl.pem |
| 49 | +* contains private and public key for this host |
| 50 | +* `Host.get_server_certificate` API call |
| 51 | +* referenced by /etc/stunnel/xapi.conf |
| 52 | +* `xe host-server-certificate-install` XE command to replace the |
| 53 | + certificate. |
| 54 | +* See below for xapi-stunnel-ca-bundle for additional certificates that |
| 55 | + can be added to a pool in support of a user-supplied host certificate. |
| 56 | +* `xe reset-server-certificate` creates a new self-signed certificate. |
| 57 | + |
| 58 | + |
| 59 | +### `xapi-pool-tls.pem` |
| 60 | + |
| 61 | +This certificate identifies a host inside a pool. It is auto generated |
| 62 | +and used for all intra-pool HTTPS connections. It needs to be |
| 63 | +distributed inside a pool to establish trust. The distribution of the |
| 64 | +public part of the certificate is performed by the API and must not be |
| 65 | +done manually. |
| 66 | + |
| 67 | +* /etc/xensource/xapi-pool-tls.pem |
| 68 | +* contains private and public key for this host |
| 69 | +* referenced by /etc/stunnel/xapi.conf |
| 70 | +* This certificate can be re-generated using the API or XE |
| 71 | +* `Host.refresh_server_certificate` |
| 72 | +* `xe host-refresh-server-certificate` |
| 73 | + |
| 74 | +## Certificate Bundles |
| 75 | + |
| 76 | +Certifiacte bundles are used by stunnel. They are a collection of public |
| 77 | +keys from hosts and certificates provided by a user. Knowing a host's |
| 78 | +public key facilitates stunnel connecting to the host. |
| 79 | + |
| 80 | +Bundles by themselves are a technicality as they organise a set of |
| 81 | +certificates in a single file but don't add new certificates. |
| 82 | + |
| 83 | +### `xapi-pool-ca-bundle.pem` and `certs-pool/*.pem` |
| 84 | + |
| 85 | +Collection of public keys from xapi-pool-tls.pem across the |
| 86 | +pool. The public keys are collected in the certs-pool directory: each is |
| 87 | +named after the UUID of its host and the bundle is constructed from |
| 88 | +them. |
| 89 | + |
| 90 | +* bundle of public keys from hosts' `xapi-pool-tls.pem` |
| 91 | +* constructed from PEM files in `certs-pool/` |
| 92 | +* `/opt/xensource/bin/update-ca-bundle.sh` generates the bundle from PEM |
| 93 | + files |
| 94 | + |
| 95 | +### `xapi-stunnel-ca-bundle.pem` and `certs/*.pem` |
| 96 | + |
| 97 | +User-supplied certificates; they are not essential for the operation of |
| 98 | +a pool from Xapi's perspective. They make stunnel aware of certificates |
| 99 | +used by clients when using HTTPS for API calls. |
| 100 | + |
| 101 | +* in a plain pool installation, these are empty; PEMs supplied by a user |
| 102 | + are stored here and bundled into the `xapi-stunnerl-ca-bundle.pem`. |
| 103 | +* bundle of public keys supploed by a user |
| 104 | +* constructed from PEM files in `certs/` |
| 105 | +* `/opt/xensource/bin/update-ca-bundle.sh` generates the bundle from PEM files |
| 106 | +* Updated by a user using `xe pool-install-ca-certificate` |
| 107 | +* `Pool.install_ca_certificate` |
| 108 | +* `Pool.uninstall_ca_certificate` |
| 109 | +* `xe pool-certificate-sync` explicitly distribute these certificates in |
| 110 | + the pool. |
| 111 | +* User-provided certificates can be used to let xapi connect to WLB. |
0 commit comments