On Sat, May 13, 2017 at 2:35 AM, Jamie Lawrence <jlawrence@squaretrade.com> wrote:
The key generated by the engine install ended up with a bad CN; it has a five-digit number appended to the host name, and no SAN.

The 5 random digits are supposed to be OK, and are actually a feature - it ensures uniqueness if you re-generate (most likely reinstall your Engine), as otherwise some browsers fail miserably if a CA cert mismatches what they know.

SAN is being worked on - we are aware of Chrome 58 now requiring it.
I sincerely hope to see it in 4.1.2 (see https://bugzilla.redhat.com/1449084 ).
Y.



I've lived with this through setup, but now I'm getting close to prod use, and need to clean up so that it is usable for general consumption. And the SPICE HTML client is completely busted due to this; that's a problem because we're mostly MacOS on the client side, and the Mac Spice client is unusable for normal humans.

 I'm wary of attempting to regenerate these manually, as I don't have a handle on how the keysare used by the various components.

What is the approved method of regenerating these keys?

-j
_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users