211
pool-certificate-listXenServer’s Workload Balancing component lets you use certificates to secure communication between
XenServer pools and the Workload Balancing server. You can either use the default certificate, which is
created automatically during Workload Balancing installation, or you can specify a certificate you have
already created.
To use your own certificate, the certificate must be in X.509 format. If you want to import the certificate into
XenServer's certificate store, during Workload Balancing installation you must specify for WLB to use an
existing certificate and export it. Currently, you must do this installing WLB with the Msiexec commands.
However, following installation you need to export the certificate again. When you export the certificate
from Workload Balancing, Workload Balancing exports it in Base64 encoded format. You must convert the
exported certificate into a Privacy Enhanced Mail (PEM) file or a .crt format by exporting it from Windows
using Windows certificate management features so that XenServer can import it.
Note:
To convert the exported certificate into a PEM (.pem) file, copy it to your XenServer pool master and run
the following commands:
openssl enc -base64 -in <exported_cert_name.crt> -out <certificate.pem>
After converting the certificate into .pem or .crt, you must load the certificate onto servers across the pool
by doing the following:
1. List any existing certificates on the pool (using xe pool-certificate-list).
2. Install the certificate you specified during WLB installation (using pool-certificate-install).
3. Synchronize the certificate on all hosts in the pool (using pool-certificate-sync).
4. (Optional.) Instruct XenServer to require a certificate before connecting (using pool-certificate-sync).
pool-certificate-list
Lists all installed SSL certificates.
pool-certificate-installpool-certificate-install filename=<certificatefilename>
Run this command on the pool to install the certificate you specified during WLB installation on the pool
master. Before installing the certificate on the master, it must be exported in either .pem or .crt format. If you
are exporting the certificate using Windows certificate management features, select the Base 64 encoded
X.509 format.
Typically, when you installed WLB, you may have named the certificate something like wlbcert.cer. Simply
renaming the file wlbcert.crt is not sufficient. You must export the certificate so the file formats is converted
into a format XenServer is expecting to receive.
pool-certificate-syncpool-certificate-install
Run this command on the pool, after running the pool-certificate-install command, to make sure the
certificate and certificate revocation lists are synchronized from the pool master to all slaves on the pool.