This is  a hackish way to generate a new certificate outside of ovirt-engine.

1. Backup oVirt and especially /etc on engine

2. Generate a new request for the vmconsole-proxy-helper

openssl req -new -out vmconsole.req -subj /CN=MY_OVIRT_FQDN  -key /etc/pki/ovirt-engine/keys/vmconsole-proxy-helper.key.nopass

3. Use the oVirt CA to sign this request to produce a new cert:

cat > extfile.conf  <<EOT# lets try to mimic the extensions that oVirt CA creates
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:false
keyUsage = digitalSignature
extendedKeyUsage = DER:300E060C2B0601040192080D01020101

EOT

Sign the request

openssl x509  -req -CA /etc/pki/ovirt-engine/certs/ca.der -inform DER -CAkey /etc/pki/ovirt-engine/private/ca.pem  -set_serial MY_SERIAL_NO \

    -extfile extfile.conf  -in vmconsole.req

Then you can use this cert to override /etc/pki/ovirt-engine/certs/vmconsole-proxy-helper.cer

Needless to say, this is extremely hackish - and I would like to know the proper way to work this.

BTW my vmconsole SSH keys/certs also were a) expired b) wrong type ssh-rsa so I needed to jump

through similar hoops to get proxy -> host working again.