[ovirt-devel] how did ovirt's ssl work?

[pengyixiang]

hello, everyone

   I'm a newbie in ovirt and ssl, and I see follows in Redhat Bugzilla:
============================================================

1. Copy the VDSM certificate of the RHEV-H host to the RHEV-M machine. This certificate should be in the host, inside the file /etc/pki/vdsm/certs/vdsmcert.pem.

2. Once you have the VDSM certificate in the engine machine verify that it has been signed by the certificate authority of the engine: # openssl verify -CAfile /etc/pki/ovirt-engine/ca.pem vdsmcert.pem vdsmcert.pem: OK As in the example above the result should be "OK", if you get any other thing then there is a problem.

3. Check that the CA certificate used by both RHEV-H and RHEV-M is the same. In RHEV-H it is inside /etc/pki/vdsm/certs/cacert.pem, in RHEV-M it is inside /etc/pki/ovirt-engine/ca.pem.

===========================================================

   then I have some questions:
    1.how did the vdsmcert.pem generated?
    2.i saw vdsmcert.pem in vdsm as the same as certs/106F.pem in engine, but vdsmcert.pem's size is 4k, and 106F.pem's size is 8k,why's this?
    3.cacert.pem : 1000.pem is the same as vdsmcert.pem : 106F.pem, so as first " Copy the VDSM certificate of the RHEV-H host to the RHEV-M machine"

may be not right, there's size is different?
    4.As i know these files in engine is used: engine.p12, .truststore; and these in vdsm is used: vdsmkey.pem, vdsmcert.pem, cacert.pem, how did these works?


Thanks in Advance
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/devel/attachments/20170922/0fb0a0c1/attachment.html>