HiI think I will stick with the default certificate 398 days rule. To renew the certificate automatically I am thinking to write a script and run engine-setup which will detect the certificate are close to expire such as following--== PKI CONFIGURATION ==--
One or more of the certificates should be renewed, because they expire soon, or include an invalid expiry date, or they were created with validity period longer than 398 days, or do not include the subjectAltName extension, which can cause them to be rejected by recent browsers and up to date hosts.
See https://www.ovirt.org/develop/release-management/features/infra/pki-renew/ for more details.
Renew certificates? (Yes, No) [No]:However I see a couple of problems
- engine-setup must be run with offline option because otherwise it will try to update the packages which I want to avoid, when offline is used do the VM running in the KVM hosts be stopped? Can this be done online? It is a pain if every time I need to renew the certificates I have to stop the entire virtualization environment.
- To script and run this process as a cron job can we run engine-setup non-interactively?
ThanksOn Sat, Nov 4, 2023 at 6:47 PM LS CHENG <lsc.oraes@gmail.com> wrote:HiYes it is generated with engine-setup.How do you extend the certificate validation value in engine-setup? (I am aware that browser can have problems with long duration certificates as explained in https://techbeacon.com/security/google-apple-mozilla-enforce-1-year-max-security-certifications)ThanksOn Sat, Nov 4, 2023 at 6:39 PM Matej Dujava <ovirt@kocurkovo.cz> wrote:Hi,
By self signed cert, you mean managed cert generated by ovirt itself (engine-setup)?
I found an issue https://bugzilla.redhat.com/show_bug.cgi?id=1824103 where it's mentioned that safari (maybe other browsers too) have problem with long self signed CA. Of it's not affecting your clients you can change values and regenerate cert by engine-setup.
You can always generate SSL cert by hand (openssl or cfssl ...) and replace it with following https://www.ovirt.org/documentation/administration_guide/#Replacing_the_Manager_CA_Certificate .On 4 November 2023 14:18:26 CET, LS CHENG <lsc.oraes@gmail.com> wrote:Hi againForgot to mention that I am using self signed certificatesThank youOn Sat, Nov 4, 2023 at 2:07 PM LS CHENG <lsc.oraes@gmail.com> wrote:Hi allI am running Oracle Linux Virtualization Manager 4.4.The default expiration length for apache.cer and websocket-proxy.cer is 1 year, is there a way to extend them to 10 years?Thank you