<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">Hi,<br><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">you can find descriptions and file locations of oVirt PKI infrastructure at [1]. There are also 'pki-*' tools for managing oVirt PKI infra, which are available on oVirt engine host after installation [2].<br><br>Regards<br><br>Martin<br><br>[1] <a href="https://www.ovirt.org/develop/release-management/features/infra/pki/">https://www.ovirt.org/develop/release-management/features/infra/pki/</a><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">[2] /usr/share/ovirt-engine/bin<br><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Sep 22, 2017 at 2:39 AM, pengyixiang <span dir="ltr"><<a href="mailto:yxpengi386@163.com" target="_blank">yxpengi386@163.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="line-height:1.7;color:rgb(0,0,0);font-size:14px;font-family:Arial"><div class="gmail-m_7022223123157234621bz_comment_text gmail-m_7022223123157234621bz_wrap_comment_text">hello, everyone<br></div><div class="gmail-m_7022223123157234621bz_comment_text gmail-m_7022223123157234621bz_wrap_comment_text"> I'm a newbie in ovirt and ssl, and I see follows in Redhat Bugzilla:</div><div class="gmail-m_7022223123157234621bz_comment_text gmail-m_7022223123157234621bz_wrap_comment_text">==============================<wbr>==============================<br></div><div class="gmail-m_7022223123157234621bz_comment_text gmail-m_7022223123157234621bz_wrap_comment_text">1. Copy the VDSM certificate of the RHEV-H host to the RHEV-M machine. This certificate should be in the host, inside the file /etc/pki/vdsm/certs/vdsmcert.<wbr>pem. <br></div><div class="gmail-m_7022223123157234621bz_comment_text gmail-m_7022223123157234621bz_wrap_comment_text">2. Once you have the VDSM certificate in the engine machine verify that it has been signed by the certificate authority of the engine:
# openssl verify -CAfile /etc/pki/ovirt-engine/ca.pem vdsmcert.pem
vdsmcert.pem: OK
As in the example above the result should be "OK", if you get any other thing then there is a problem. <br></div><div class="gmail-m_7022223123157234621bz_comment_text gmail-m_7022223123157234621bz_wrap_comment_text">3. Check that the CA certificate used by both RHEV-H and RHEV-M is the same. In RHEV-H it is inside /etc/pki/vdsm/certs/cacert.<wbr>pem, in RHEV-M it is inside /etc/pki/ovirt-engine/ca.pem. <br></div><div class="gmail-m_7022223123157234621bz_comment_text gmail-m_7022223123157234621bz_wrap_comment_text">==============================<wbr>=============================<br></div><div class="gmail-m_7022223123157234621bz_comment_text gmail-m_7022223123157234621bz_wrap_comment_text"> then I have some questions:</div><div class="gmail-m_7022223123157234621bz_comment_text gmail-m_7022223123157234621bz_wrap_comment_text"> 1.how did the vdsmcert.pem generated?</div><div class="gmail-m_7022223123157234621bz_comment_text gmail-m_7022223123157234621bz_wrap_comment_text"> 2.i saw vdsmcert.pem in vdsm as the same as certs/106F.pem in engine, but vdsmcert.pem's size is 4k, and 106F.pem's size is 8k,why's this?</div><div class="gmail-m_7022223123157234621bz_comment_text gmail-m_7022223123157234621bz_wrap_comment_text"> 3.cacert.pem : 1000.pem is the same as vdsmcert.pem : 106F.pem, so as first " Copy the VDSM certificate of the RHEV-H host to the RHEV-M machine" <br></div><div class="gmail-m_7022223123157234621bz_comment_text gmail-m_7022223123157234621bz_wrap_comment_text">may be not right, there's size is different?</div><div class="gmail-m_7022223123157234621bz_comment_text gmail-m_7022223123157234621bz_wrap_comment_text"> 4.As i know these files in engine is used: engine.p12, .truststore; and these in vdsm is used: vdsmkey.pem, vdsmcert.pem, cacert.pem, how did these works?</div><div class="gmail-m_7022223123157234621bz_comment_text gmail-m_7022223123157234621bz_wrap_comment_text"><br></div><div class="gmail-m_7022223123157234621bz_comment_text gmail-m_7022223123157234621bz_wrap_comment_text">Thanks in Advance<br></div></div><br><br><span title="neteasefooter"><p> </p></span><br>______________________________<wbr>_________________<br>
Devel mailing list<br>
<a href="mailto:Devel@ovirt.org">Devel@ovirt.org</a><br>
<a href="http://lists.ovirt.org/mailman/listinfo/devel" rel="noreferrer" target="_blank">http://lists.ovirt.org/<wbr>mailman/listinfo/devel</a><br></blockquote></div><br></div></div>