Re: [Users] replacing self-signed certificates
----- Original Message -----
From: "i iordanov" <iiordanov(a)gmail.com>
To: users(a)ovirt.org
Sent: Wednesday, November 20, 2013 6:50:04 PM
Subject: [Users] replacing self-signed certificates
Hello,
I searched around but could not come up with specific instructions for how to
replace the self-signed certificates in an oVirt 3.3 setup with
non-self-signed certificates. I need to ensure that my oVirt/SPICE client
actually does the right thing when connecting to a machine with a 3rd party
signed certificate.
Presumably, I would be able to adapt the instructions provided here:
http://www.ovirt.org/How_to_change_engine_host_name
right? Which steps need to be modified? If I hammer at it long enough, I
would probably succeed in getting it to work at some point, but I was hoping
for somebody more experienced to help me over the initial hurdle.
In case I have to reinstall to use non-self-signed certificates, how do I go
about preparing the environment prior to running engine-setup?
Usually there is no need to replace any other certificate than the certificate that is
used for apache frontend.
No need to touch the spice and other certificates and keys.
Replace /etc/pki/ovirt-engine/apache-ca.pem with your 3rd party CA certificate chain.
Replace /etc/pki/ovirt-engine/keys/apache.p12 with key store.
Extract key from apache.p12 to /etc/pki/ovirt-engine/keys/apache.key.nopass do not protect
with password.
Extract certificate from apache.p12 to /etc/pki/ovirt-engine/certs/apache.cer
Alternatively, you can configure the mod_ssl as you wish.
Once you do this, if you have ovirt-node already installed, delete
/etc/pki/vdsm/certs/engine_web_ca.pem to allow fetch ssl trust and allow registration in
future.
Regards,
Alon Bar-Lev.