<div dir="ltr"><div>Thanks Alon and Thomas!<br><br></div><div>iordan<br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Nov 20, 2013 at 1:51 PM, Alon Bar-Lev <span dir="ltr"><<a href="mailto:alonbl@redhat.com" target="_blank">alonbl@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5"><br>
<br>
----- Original Message -----<br>
> From: "i iordanov" <<a href="mailto:iiordanov@gmail.com">iiordanov@gmail.com</a>><br>
> To: <a href="mailto:users@ovirt.org">users@ovirt.org</a><br>
> Sent: Wednesday, November 20, 2013 6:50:04 PM<br>
> Subject: [Users] replacing self-signed certificates<br>
><br>
> Hello,<br>
><br>
> I searched around but could not come up with specific instructions for how to<br>
> replace the self-signed certificates in an oVirt 3.3 setup with<br>
> non-self-signed certificates. I need to ensure that my oVirt/SPICE client<br>
> actually does the right thing when connecting to a machine with a 3rd party<br>
> signed certificate.<br>
><br>
> Presumably, I would be able to adapt the instructions provided here:<br>
> <a href="http://www.ovirt.org/How_to_change_engine_host_name" target="_blank">http://www.ovirt.org/How_to_change_engine_host_name</a><br>
><br>
> right? Which steps need to be modified? If I hammer at it long enough, I<br>
> would probably succeed in getting it to work at some point, but I was hoping<br>
> for somebody more experienced to help me over the initial hurdle.<br>
><br>
> In case I have to reinstall to use non-self-signed certificates, how do I go<br>
> about preparing the environment prior to running engine-setup?<br>
<br>
</div></div>Usually there is no need to replace any other certificate than the certificate that is used for apache frontend.<br>
<br>
No need to touch the spice and other certificates and keys.<br>
<br>
Replace /etc/pki/ovirt-engine/apache-ca.pem with your 3rd party CA certificate chain.<br>
Replace /etc/pki/ovirt-engine/keys/apache.p12 with key store.<br>
Extract key from apache.p12 to /etc/pki/ovirt-engine/keys/apache.key.nopass do not protect with password.<br>
Extract certificate from apache.p12 to /etc/pki/ovirt-engine/certs/apache.cer<br>
<br>
Alternatively, you can configure the mod_ssl as you wish.<br>
<br>
Once you do this, if you have ovirt-node already installed, delete /etc/pki/vdsm/certs/engine_web_ca.pem to allow fetch ssl trust and allow registration in future.<br>
<br>
Regards,<br>
Alon Bar-Lev.<br>
</blockquote></div><br><br clear="all"><br>-- <br>The conscious mind has only one thread of execution.
</div>