Add ROOT CAs to the trust store

[vishesh92]

Description

This PR adds ROOT CAs to the trust store in System VMs & the management
This PR also adds another parameter forced to provisionCertificate command which allows provisioning certs via SSH to KVM hosts & system VMs.
Doc PR: apache/cloudstack-documentation#641

Details

This pull request introduces several improvements and new features to the CloudStack Certificate Authority (CA) management system, with a focus on enhancing certificate provisioning flexibility, supporting user-provided CA material, and improving truststore management. The most significant changes add support for forced certificate re-provisioning via SSH for disconnected agents, clarify and enforce requirements for custom CA keys, and enable automatic truststore injection for outgoing HTTPS connections.

Certificate Provisioning Enhancements:

• Added a forced boolean parameter to the ProvisionCertificateCmd API and the CAManager.provisionCertificate method, allowing administrators to re-provision agent certificates via SSH when agents are disconnected (e.g., after a CA change). This is supported for KVM hosts and SystemVMs. The implementation includes a new provisionCertificateViaSsh method for KVM hosts. [1] [2] [3] [4] [5] [6]

CA Provider and Configuration Improvements:

• Expanded and clarified configuration key documentation for user-provided CA material in the RootCAProvider, including PEM format requirements and the need to set all three keys together. Enhanced error handling and logging when loading user-provided CA keys/certificates fails, with fallback to auto-generation. [1] [2]
• Improved the description of the ca.framework.provider.plugin configuration key to clarify its purpose and the requirements for custom CA material.

Truststore Management:

• Introduced a new configuration key ca.framework.inject.default.truststore to control whether the CA provider's certificate is injected into the JVM default truststore on management server startup, enabling outgoing HTTPS connections from the management server to trust servers signed by the configured CA.
• Updated the keystore-cert-import script to also import the CA certificate into the realhostip.keystore used by the SSVM JVM, ensuring trust for CloudStack CA-signed servers.

Script and Utility Fixes:

• Improved the keystore-cert-import script to handle certificate splitting and file cleanup more robustly, preventing errors if no certificates are present.

Code Cleanup:

• Removed unused imports and code from LibvirtServerDiscoverer and related classes as part of the refactoring for SSH-based certificate provisioning. [1] [2] [3] [4] [5] [6] [7]

These changes collectively improve CloudStack's certificate management flexibility, security, and ease of integration with external CA infrastructures.

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• Build/CI
• Test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

How did you try to break this feature and the system with this change?

[vishesh92]

@blueorangutan package

[blueorangutan]

@vishesh92 a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

[codecov]

Codecov Report

❌ Patch coverage is 36.31285% with 114 lines in your changes missing coverage. Please review.
✅ Project coverage is 18.01%. Comparing base (1bff543) to head (f1db139).
⚠️ Report is 21 commits behind head on main.

Files with missing lines	Patch %	Lines
...n/java/org/apache/cloudstack/ca/CAManagerImpl.java	42.10%	56 Missing and 10 partials ⚠️
.../apache/cloudstack/ca/provider/RootCAProvider.java	13.63%	37 Missing and 1 partial ⚠️
.../api/command/admin/ca/ProvisionCertificateCmd.java	0.00%	4 Missing ⚠️
.../cloudstack/mom/webhook/WebhookDeliveryThread.java	0.00%	3 Missing ⚠️
...rvisor/kvm/discoverer/LibvirtServerDiscoverer.java	0.00%	1 Missing ⚠️
utils/src/main/java/com/cloud/utils/nio/Link.java	0.00%	1 Missing ⚠️
...rg/apache/cloudstack/utils/security/CertUtils.java	87.50%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               main   #12911      +/-   ##
============================================
- Coverage     18.02%   18.01%   -0.01%     
- Complexity    16460    16477      +17     
============================================
  Files          5968     5977       +9     
  Lines        537213   537905     +692     
  Branches      65975    66061      +86     
============================================
+ Hits          96825    96912      +87     
- Misses       429469   430058     +589     
- Partials      10919    10935      +16     

Flag	Coverage Δ
uitests	3.52% <ø> (-0.01%)	⬇️
unittests	19.18% <36.31%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 17282

[blueorangutan]

[SF] Trillian Build Failed (tid-15758)

[Copilot]

Pull request overview

This PR extends CloudStack’s CA/certificate provisioning to support forced re-provisioning via SSH (for disconnected KVM hosts and SystemVMs) and improves truststore handling so CloudStack CA roots can be trusted by management and SystemVM JVM processes.

Changes:

• Add a forced flag to provisionCertificate (API + manager) and implement SSH-based provisioning paths for KVM hosts and SystemVMs.
• Inject configured CA certificate(s) into the management server JVM default truststore on startup (configurable via a new global setting).
• Update SystemVM/scripts truststore import logic to also populate realhostip.keystore with CA certs; improve cert-chain splitting robustness.

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
utils/src/main/java/org/apache/cloudstack/utils/security/KeyStoreUtils.java	Removes an unused SystemVM import-script constant.
utils/src/main/java/com/cloud/utils/nio/Link.java	Adjusts handshake wrap error handling to fail the handshake on SSL wrap exceptions.
systemvm/patch-sysvms.sh	Imports CA cert chain into realhostip.keystore during live patch for CPVM/SSVM.
server/src/test/java/org/apache/cloudstack/ca/CAManagerImplTest.java	Updates tests for the new provisionCertificate(..., forced) signature.
server/src/test/java/org/apache/cloudstack/ca/CABackgroundTaskTest.java	Updates mocks/verifications for the new method signature.
server/src/main/java/org/apache/cloudstack/ca/CAManagerImpl.java	Implements forced provisioning via SSH + JVM truststore injection feature and wires new dependencies.
server/src/main/java/com/cloud/hypervisor/kvm/discoverer/LibvirtServerDiscoverer.java	Refactors KVM discovery provisioning to call caManager.provisionCertificateViaSsh(...).
scripts/util/keystore-cert-import	Improves cert split loop robustness; imports CA into realhostip.keystore for SystemVMs.
plugins/ca/root-ca/src/main/java/org/apache/cloudstack/ca/provider/RootCAProvider.java	Clarifies config docs, improves fallback logging, and fixes startup loading sequence.
api/src/main/java/org/apache/cloudstack/ca/CAManager.java	Adds forced support + introduces CaInjectDefaultTruststore config key + adds provisionCertificateViaSsh.
api/src/main/java/org/apache/cloudstack/api/command/admin/ca/ProvisionCertificateCmd.java	Adds forced API parameter and passes it through to CA manager.

Comments suppressed due to low confidence (1)

scripts/util/keystore-cert-import:78

• The certificate-chain splitting uses temp files named cloudca.* in the current working directory. This can fail or be unsafe if the script runs from an unexpected directory (clobbering existing files or following symlinks). Consider using a dedicated temporary directory via mktemp -d and writing the split certs there, then cleaning up that directory.

awk 'BEGIN{n=0} /-----BEGIN CERTIFICATE-----/{n++}{print > "cloudca." n }' "$CACERT_FILE"
for caChain in $(ls cloudca.* 2>/dev/null); do
    keytool -delete -noprompt -alias "$caChain" -keystore "$KS_FILE" -storepass "$KS_PASS" > /dev/null 2>&1 || true
    keytool -import -noprompt -storepass "$KS_PASS" -trustcacerts -alias "$caChain" -file "$caChain" -keystore "$KS_FILE" > /dev/null 2>&1
done
rm -f cloudca.*

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[blueorangutan]

[SF] Trillian Build Failed (tid-15759)

[vishesh92]

@blueorangutan package

[blueorangutan]

@vishesh92 a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✖️ debian ✔️ suse15. SL-JID 17290

[vishesh92]

@blueorangutan package

[blueorangutan]

@vishesh92 a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 17300

[vishesh92]

@blueorangutan package

[blueorangutan]

@vishesh92 a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 17301

[vishesh92]

@blueorangutan package

[blueorangutan]

@vishesh92 a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 17330

[vishesh92]

@blueorangutan package

[blueorangutan]

@vishesh92 a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 17352

[vishesh92]

@blueorangutan package

[blueorangutan]

@vishesh92 a [SL] Jenkins job has been kicked to build packages. It will be bundled with no SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 17370

[vishesh92]

@blueorangutan package

[Copilot]

Pull request overview

Copilot reviewed 19 out of 19 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This approach rebuilds the JVM default trust configuration from X509TrustManager#getAcceptedIssuers() and then calls SSLContext.setDefault(...). There are two concrete problems: (1) getAcceptedIssuers() is not guaranteed to enumerate all trust anchors (some implementations return an empty/partial list), so this can silently drop system CAs and break TLS validation; (2) defaultTmf.getTrustManagers()[0] is not guaranteed to be an X509TrustManager, so the cast can fail at runtime. Prefer constructing a TrustManager that delegates to the platform default TrustManager and additionally trusts the configured CA chain (or load the actual default truststore KeyStore and add entries), and avoid globally overriding the JVM default SSLContext unless strictly necessary—set a dedicated SSLContext on the specific outbound clients instead.

[Copilot]

PEMParser is never closed. Even though it wraps a StringReader, leaving it unclosed is still a resource-handling bug pattern and can trigger static analysis failures. Use try-with-resources around the PEMParser (and reader if you keep it separate) so the parser is always closed.

[Copilot]

Same temp-file safety issue as in patch-sysvms.sh: the script writes cloudca.* into the CWD and relies on ls command substitution for iteration (breaks on whitespace and behaves poorly when no files exist). Use a temp directory + safe globs (for caChain in cloudca.*; do [ -e \"$caChain\" ] || continue; ...) and clean up only files created in that temp dir.

[Copilot]

args now includes forced, but there is no corresponding mapping.forced. In this UI config pattern, that typically results in the parameter being missing/undefined (or an extra prompt not being rendered correctly), which can break the action invocation or prevent users from setting the new flag. Add a forced mapping with an explicit default (e.g., false) and/or a UI control so the API receives a deterministic boolean.

Suggested change

	value: (record) => { return record.id }
	value: (record) => { return record.id }
	},
	forced: {
	value: false