[ovirt-users] Re: How to renew vmconsole-proxy* certificates

On Thu, Nov 4, 2021 at 6:51 PM Kapetanakis Giannis < bilias(a)edu.physics.uoc.gr&gt; wrote: This is a hackish way to generate a new certificate outside of ovirt-engine. 1. Backup oVirt and especially /etc on engine 2. Generate a new request for the vmconsole-proxy-helper openssl req -new -out vmconsole.req -subj /CN=MY_OVIRT_FQDN -key /etc/pki/ovirt-engine/keys/vmconsole-proxy-helper.key.nopass 3. Use the oVirt CA to sign this request to produce a new cert: cat > extfile.conf <<EOT# lets try to mimic the extensions that oVirt CA creates subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer basicConstraints = CA:false keyUsage = digitalSignature extendedKeyUsage = DER:300E060C2B0601040192080D01020101 EOT Sign the request openssl x509 -req -CA /etc/pki/ovirt-engine/certs/ca.der -inform DER -CAkey /etc/pki/ovirt-engine/private/ca.pem -set_serial MY_SERIAL_NO \ -extfile extfile.conf -in vmconsole.req Then you can use this cert to override /etc/pki/ovirt-engine/certs/vmconsole-proxy-helper.cer Needless to say, this is extremely hackish - and I would like to know the proper way to work this. BTW my vmconsole SSH keys/certs also were a) expired b) wrong type ssh-rsa so I needed to jump through similar hoops to get proxy -> host working again. --- Richard Chan