Re: [ovirt-users] Regenerating SSL keys
On May 14, 2017, at 3:35 AM, Yedidyah Bar David
<didi(a)redhat.com> wrote:
In addition to Yaniv's explanation below, can you explain why it
was
bad? That is, what software/process was broken by it? Please note that
this is the CN of the CA's cert, not of the individual certs its signs
(such as the one for the web server for https) - these have the FQDN
you supplied to engine-setup as their CN.
You're absolutely right; my apologies for that red herring. I confused myself after
too long at the keyboard.
> The 5 random digits are supposed to be OK, and are actually a
feature - it
> ensures uniqueness if you re-generate (most likely reinstall your Engine),
> as otherwise some browsers fail miserably if a CA cert mismatches what they
> know.
>
> SAN is being worked on - we are aware of Chrome 58 now requiring it.
> I sincerely hope to see it in 4.1.2 (see https://bugzilla.redhat.com/1449084
> ).
Indeed, and see my comment 5 there for how to add SAN to an existing
setup, _after_ you upgrade to 4.1.2 when it's out.
Great, that's handy.
Thanks for the pointer! That was the missing piece for me; my Google-fu failed to uncover
it. I think I have what I need.
Thanks again to both of you,
-j