[Users-pt] Certificado SSL

Amador Pahim apahim at redhat.com
Thu Feb 12 11:31:48 UTC 2015 

Opa,


Nossa documentação diz o seguinte (não testei aqui):

----------------------------------------------------
Prerequisites

This procedure requires a PEM formatted certificate from your commercial 
certificate issuing authority, a .nokey file, and a .cer file. The 
.nokey and .cer files are sometimes distributed as a certificate-key 
bundle in the P12 format.
This procedure assumes that you have a certificate-key bundle in the P12 
format.
⁠

Procedure D.1. Replacing the Red Hat Enterprise Virtualization Manager 
Apache SSL Certificate

     The Manager has been configured to use 
/etc/pki/ovirt-engine/apache-ca.pem, which is symbolically linked to 
/etc/pki/ovirt-engine/ca.pem. Remove the symbolic link.

     # rm /etc/pki/ovirt-engine/apache-ca.pem

     Save your commercially issued certificate as 
/etc/pki/ovirt-engine/apache-ca.pem. The certificate chain must be 
complete up to the root certificate. The chain order is important and 
should be from the last intermediate certificate to the root certificate.

     mv YOUR-3RD-PARTY-CERT.pem /etc/pki/ovirt-engine/apache-ca.pem

     Move your P12 bundle to /etc/pki/ovirt-engine/keys/apache.p12.
     Extract the key from the bundle.

     # openssl pkcs12 -in  /etc/pki/ovirt-engine/keys/apache.p12 
-nocerts -nodes > /etc/pki/ovirt-engine/keys/apache.key.nopass

     Extract the certificate from the bundle.

     # openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys 
 > /etc/pki/ovirt-engine/certs/apache.cer

     Restart the Apache server.

     # service httpd restart

Result
Your users can now connect to the portals without being warned about the 
authenticity of the certificate used to encrypt https traffic.
----------------------------------------------------


On 02/12/2015 07:36 AM, Ronaldo Araujo wrote:
> Obrigado Marcelo ...
>
> Também estou olhando esse link: http://www.ovirt.org/Features/PKI
>
> Gostaria de saber se alguém da lista já conseguiu fazer essa troca de certificado ?
>
> Estou quebrando a cabeça, mas ainda não obtive sucesso ...
>
>
>
> Ronaldo Araujo
>
>
> ----- Mensagem original -----
>
> De: "Marcelo Barbosa" <firemanxbr at fedoraproject.org>
> Para: "Ronaldo Araujo" <ronaldo at sinprosp.org.br>
> Cc: "oVirt Brasil" <users-pt at ovirt.org>
> Enviadas: Quarta-feira, 11 de Fevereiro de 2015 16:12:58
> Assunto: Re: [Users-pt] Certificado SSL
>
>
> Ronaldo,
>
>
> Acredito que esta documentação possa lhe ajudar um pouco: http://www.ovirt.org/How_to_change_engine_host_name
>
>
> Cheers,
>
>
>
>
> firemanxbr
>
> On Wed, Feb 11, 2015 at 4:01 PM, Ronaldo Araujo < ronaldo at sinprosp.org.br > wrote:
>
>
> Boa tarde senhores ...
>
> Estou montando um ovirt 3.5 num servidor de teste ( hoje tenho o 3.3 e farei a migração no carnaval) ...
>
> Como tem um certificado SSl gerado para o meu domínio, gostaria de configurá-lo no ovirt para quando fizer o acesso web, o navegador não reclamar do certificado.
>
> Qual o procedimento para se fazer essa substituição do certificado ?
>
> Tentei seguir o seguinte:
>
> Replace /etc/pki/ovirt-engine/apache-ca.pem with your 3rd party CA certificate chain.
> Replace /etc/pki/ovirt-engine/keys/apache.p12 with key store.
> Extract key from apache.p12 to /etc/pki/ovirt-engine/keys/apache.key.nopass do not protect with password.
> Extract certificate from apache.p12 to /etc/pki/ovirt-engine/certs/apache.cer
>
> mas no log apache me retornou:
>
> [Wed Feb 11 13:47:35 2015] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
> [Wed Feb 11 13:47:35 2015] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
> [Wed Feb 11 13:47:35 2015] [error] Init: Unable to read server certificate from file /etc/pki/ovirt-engine/certs/apache.cer
> [Wed Feb 11 13:47:35 2015] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
> [Wed Feb 11 13:47:35 2015] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
>
>
> Obrigado por qualquer ajuda.
>
> Ronaldo Araujo
> _______________________________________________
> Users-pt mailing list
> Users-pt at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users-pt
> _______________________________________________
> Users-pt mailing list
> Users-pt at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users-pt

More information about the Users-pt mailing list