On Fri, Dec 16, 2022 at 1:06 PM Vinz Vinz <vk@itiviti.com> wrote:
Hi David,
thx for your answer.
I have tried this non official documentation because it was the clearest and more straight forward I've found. indeed it's not perfect in terme of security, but having to renew each year so many different certificate across multiple cluster is really not convenient. The first time we had a certificate expiration we were not ready and long story short it brought us a production issue...
indeed this doc doesn't mention vdsm, but the current start date of our vdsm certificate is matching with the date where we applied this doc, so I was quite suprised too, but it's definitively not related. Anyway we have a lot of vdsm cert that will expire next year, and we should be ready. (ovirt 4.4.10)
I did a recent install of ovirt 4.5, and vdsm cert are valid for 5 years, which is really better.
with our 4.4.10 clusters, if we "enrol cert", it will again be for one year? I guess the only way to have a bigger period would be to update our cluster to 4.5?
I think you can also change the default cert lifetime with engine-config, item VdsCertificateValidityInDays. Didn't test this myself. If it works, it should affect new certificates, not existing ones. Best regards, -- Didi