I just tried, it works ! Thank for your help. Here are the steps that i followed: connect to the engine database using psql - use the request as you give it select fn_db_update_config_value(' VdsCertificateValidityInYears','2','general'); - verify the option by running select * from vdc_options where option_name like '%VdsCer%'; - restart ovirt-engine New host would have their certificates with the validity under 2 years. I tested with an existing host by put it in maintenance then reinstall Thanks ! those links helped me also: https://www.ovirt.org/develop/developer-guide/db-issues/dbupgrade/ https://www.ovirt.org/documentation/internal/database-upgrade-procedure/ 2018-03-22 0:49 GMT-10:00 Yedidyah Bar David <didi(a)redhat.com&gt;: > On Thu, Mar 22, 2018 at 11:58 AM, Sahina Bose <sabose(a)redhat.com&gt; wrote: > > Didi, Sandro - Do you know if this option VdsCertificateValidityInYears > is > > present in 4.2? > > I do not think it ever was exposed to engine-config - I think it's a > bug in that page. > > You should be able to update it with psql, if needed - something like > this: > > select fn_db_update_config_value('VdsCertificateValidityInYears',' > 2','general'); > > I didn't try this myself. > > To get an sql prompt, you can use engine-psql, which should be > available in 4.2.2, > or simply copy the script from the patch page: > > https://gerrit.ovirt.org/#/q/I4d9737ea72df0d7e654776a1085901284a523b7f > > Also, some people claim that the use of certificates for communication > between > the engine and the hosts is an internal implementation detail, which > should not > be relevant to PCI DSS requirements. See e.g.: > > https://ovirt.org/develop/release-management/features/infra/pkireduce/ > > > > > On Mon, Mar 19, 2018 at 4:43 AM, Punaatua PAINT-KOUI < > punaatua.pk(a)gmail.com&gt; > > wrote: > >> > >> Up > >> > >> 2018-02-17 2:57 GMT-10:00 Punaatua PAINT-KOUI <punaatua.pk(a)gmail.com&gt;: > >>> > >>> Any idea someone ? > >>> > >>> Le 14 févr. 2018 23:19, "Punaatua PAINT-KOUI" <punaatua.pk(a)gmail.com&gt; > a > >>> écrit : > >>>> > >>>> Hi, > >>>> > >>>> I setup an hyperconverged solution with 3 nodes, hosted engine on > >>>> glusterfs. > >>>> We run this setup in a PCI-DSS environment. According to PCI-DSS > >>>> requirements, we are required to reduce the validity of any > certificate > >>>> under 39 months. > >>>> > >>>> I saw in this link > >>>> https://www.ovirt.org/develop/release-management/features/infra/pki/ > that i > >>>> can use the option VdsCertificateValidityInYears at engine-config. > >>>> > >>>> I'm running ovirt engine 4.2.1 and i checked when i was on 4.2 how to > >>>> edit the option with engine-config --all and engine-config --list > but the > >>>> option is not listed > >>>> > >>>> Am i missing something ? > >>>> > >>>> I thing i can regenerate a VDSM certificate with openssl and the CA > conf > >>>> in /etc/pki/ovirt-engine on the hosted-engine but i would rather > modifiy the > >>>> option for future host that I will add. > >>>> > >>>> -- > >>>> ------------------------------------- > >>>> PAINT-KOUI Punaatua > >> > >> > >> > >> > >> -- > >> ------------------------------------- > >> PAINT-KOUI Punaatua > >> Licence Pro Réseaux et Télecom IAR > >> Université du Sud Toulon Var > >> La Garde France > >> > >> _______________________________________________ > >> Users mailing list > >> Users(a)ovirt.org > >> http://lists.ovirt.org/mailman/listinfo/users > >> > > > > > > -- > Didi > -- ------------------------------------- PAINT-KOUI Punaatua Licence Pro Réseaux et Télecom IAR Université du Sud Toulon Var La Garde France