I'm writing a script to install a new SSL key/cert pair (from Let's Encrypt) for the engine web UI on oVirt 4.1. I'm looking at this, but it's a little confusing. https://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL/ It sounds like steps 1 and 3 are referring to the CA-supplied intermediate cert(s), not the actual issue cert for the server. Is that right? Does anything actually use the PCKS12 format file referred to in step 4? I don't normally see that format from regular CAs; they usually provide cert+intermediate(s) in PEM format. With Apache 2.4, it is normal to just put the cert+intermediate(s) chain in one file and configure Apache with SSLCertificateFile. You aren't supposed to put the CA-supplied cert in the SSLCACertificateFile like oVirt appears to do; that's intended to be used for validating client certs, not the intermediate(s) for the server cert. It really just looks like the cert+intermediate(s) should go in /etc/pki/ovirt-engine/certs/apache.cer, the corresponding key put in /etc/pki/ovirt-engine/keys/apache.key.nopass, and then Apache needs to be restarted. Since oVirt doesn't use the engine web UI cert for anything internally (right?), do any of the other steps on the above page matter? -- Chris Adams <cma@cmadams.net>