Hello all-

I am looking for a methodology to force oVirt to use certs/keys managed and deployed externally. These are automated by our various automation systems and are configured to match our security policies. Rogue and/or non-transparent and/or standalone CAs in our org do not comply with our security policy.

If I pre-deploy certificates and keys, does oVirt engine still need to be a CA?

Similarly, our encryption policy requires use of RSA 4096 or ED25519 for SSH. This, as I understand it, is also not compatible with the RSA 2048 generated/used by the engine's internal CA. Is SSHing to this new host using this key necessary, or can I externally enroll a new host into a cluster or - if not - use different SSH key via the engine (likely derived from the above/below-mentioned certs, which may be RSA 4096)?

Essentially, could I:

  1. Pre-provision certificates and keys in /etc/pki/ovirt-*/ with the appropriate filenames
  2. Run engine-setup for the first​ time (using an answers file)?

Will engine-setup balk at the existence of those files, silently overwrite them, or use them?

Thanks in advance.

Brent Saner
SENIOR SYSTEMS ENGINEER
Follow us on LinkedIn!
brent.saner@netfire.com
855‑696‑3834 Ext. 110
www.netfire.com