[ovirt-devel] how did ovirt's ssl work?
Martin Perina
mperina at redhat.com
Fri Sep 22 07:28:47 UTC 2017
Hi,
you can find descriptions and file locations of oVirt PKI infrastructure at
[1]. There are also 'pki-*' tools for managing oVirt PKI infra, which are
available on oVirt engine host after installation [2].
Regards
Martin
[1] https://www.ovirt.org/develop/release-management/features/infra/pki/
[2] /usr/share/ovirt-engine/bin
On Fri, Sep 22, 2017 at 2:39 AM, pengyixiang <yxpengi386 at 163.com> wrote:
> hello, everyone
> I'm a newbie in ovirt and ssl, and I see follows in Redhat Bugzilla:
> ============================================================
> 1. Copy the VDSM certificate of the RHEV-H host to the RHEV-M machine.
> This certificate should be in the host, inside the file
> /etc/pki/vdsm/certs/vdsmcert.pem.
> 2. Once you have the VDSM certificate in the engine machine verify that it
> has been signed by the certificate authority of the engine: # openssl
> verify -CAfile /etc/pki/ovirt-engine/ca.pem vdsmcert.pem vdsmcert.pem: OK
> As in the example above the result should be "OK", if you get any other
> thing then there is a problem.
> 3. Check that the CA certificate used by both RHEV-H and RHEV-M is the
> same. In RHEV-H it is inside /etc/pki/vdsm/certs/cacert.pem, in RHEV-M it
> is inside /etc/pki/ovirt-engine/ca.pem.
> ===========================================================
> then I have some questions:
> 1.how did the vdsmcert.pem generated?
> 2.i saw vdsmcert.pem in vdsm as the same as certs/106F.pem in engine,
> but vdsmcert.pem's size is 4k, and 106F.pem's size is 8k,why's this?
> 3.cacert.pem : 1000.pem is the same as vdsmcert.pem : 106F.pem, so as
> first " Copy the VDSM certificate of the RHEV-H host to the RHEV-M machine"
> may be not right, there's size is different?
> 4.As i know these files in engine is used: engine.p12, .truststore;
> and these in vdsm is used: vdsmkey.pem, vdsmcert.pem, cacert.pem, how did
> these works?
>
> Thanks in Advance
>
>
>
>
> _______________________________________________
> Devel mailing list
> Devel at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/devel/attachments/20170922/e4fbaa3c/attachment.html>
More information about the Devel
mailing list