Hi Nir, sorry for reply late, here we go ovirt-imageio --show-config { "backend_file": { "buffer_size": 8388608 }, "backend_http": { "buffer_size": 8388608, "ca_file": "/etc/pki/ovirt-engine/ca.pem" }, "backend_nbd": { "buffer_size": 8388608 }, "control": { "port": 54324, "prefer_ipv4": true, "remove_timeout": 60, "socket": "/run/ovirt-imageio/sock", "transport": "tcp" }, "daemon": { "drop_privileges": true, "group_name": "ovirtimg", "max_connections": 8, "poll_interval": 1.0, "run_dir": "/run/ovirt-imageio", "user_name": "ovirtimg" }, "formatter_long": { "format": "%(asctime)s %(levelname)-7s (%(threadName)s) [%(name)s] %(message)s" }, "formatters": { "keys": "long" }, "handler_logfile": { "args": "(\"/var/log/ovirt-imageio/daemon.log\",)", "formatter": "long", "class": "logging.handlers.RotatingFileHandler", "kwargs": "{\"maxBytes\": 20971520, \"backupCount\": 10}", "level": "DEBUG" }, "handler_stderr": { "formatter": "long", "class": "logging.StreamHandler", "level": "DEBUG" }, "handlers": { "keys": "logfile" }, "local": { "enable": false, "socket": "\u0000/org/ovirt/imageio" }, "logger_root": { "handlers": "logfile", "level": "INFO", "propagate": 0 }, "loggers": { "keys": "root" }, "profile": { "filename": "/run/ovirt-imageio/profile" }, "remote": { "host": "::", "port": 54323 }, "tls": { "ca_file": "", "cert_file": "/etc/pki/ovirt-engine/certs/apache.cer", "enable": true, "enable_tls1_1": false, "key_file": "/etc/pki/ovirt-engine/keys/apache.key.nopass" } } Yes, The CA file on engine side (/etc/pki/ovirt-engine/ca.pem) does not matching with the CA file on the host (/etc/pki/vdsm/certs/cacert.pem) because we made the changes only on the engine side ca.pem with third party cert. we followed this doc from Replacing the oVirt Engine Apache CA Certificate, It is working for rest all cluster https://www.ovirt.org/documentation/administration_guide/index.html#appe-Red... Replacing the oVirt Engine Apache CA Certificate If you are using a self-hosted engine, put the environment into global maintenance mode. # hosted-engine --set-maintenance --mode=global For more information, see Maintaining the Self-hosted engine. Add your CA certificate to the host-wide trust store: # cp /tmp/3rd-party-ca-cert.pem /etc/pki/ca-trust/source/anchors # update-ca-trust The Engine has been configured to use /etc/pki/ovirt-engine/apache-ca.pem, which is symbolically linked to /etc/pki/ovirt-engine/ca.pem. Remove the symbolic link: # rm /etc/pki/ovirt-engine/apache-ca.pem Save your CA certificate as /etc/pki/ovirt-engine/apache-ca.pem: # cp /tmp/3rd-party-ca-cert.pem /etc/pki/ovirt-engine/apache-ca.pem Back up the existing private key and certificate: # cp /etc/pki/ovirt-engine/keys/apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass.bck # cp /etc/pki/ovirt-engine/certs/apache.cer /etc/pki/ovirt-engine/certs/apache.cer.bck Copy the private key to the required location: # cp /tmp/apache.key /etc/pki/ovirt-engine/keys/apache.key.nopass Set the private key owner to root and set the permissions to 0640: # chown root:ovirt /etc/pki/ovirt-engine/keys/apache.key.nopass # chmod 640 /etc/pki/ovirt-engine/keys/apache.key.nopass Copy the certificate to the required location: # cp /tmp/apache.cer /etc/pki/ovirt-engine/certs/apache.cer Set the certificate owner to root and set the permissions to 0644: # chown root:ovirt /etc/pki/ovirt-engine/certs/apache.cer # chmod 644 /etc/pki/ovirt-engine/certs/apache.cer Restart the Apache server: # systemctl restart httpd.service Create a new trust store configuration file, /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf, with the following parameters: ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts" ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="" Copy the /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf file, and rename it with an index number that is greater than 10 (for example, 99-setup.conf). Add the following parameters to the new file: SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass Restart the websocket-proxy service: # systemctl restart ovirt-websocket-proxy.service If you manually changed the /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf file, or are using a configuration file from an older installation, make sure that the Engine is still configured to use /etc/pki/ovirt-engine/apache-ca.pem as the certificate source. Enable engine-backup to update the system on restore by creating a new file, /etc/ovirt-engine-backup/engine-backup-config.d/update-system-wide-pki.sh, with the following content: BACKUP_PATHS="${BACKUP_PATHS} /etc/ovirt-engine-backup" cp -f /etc/pki/ovirt-engine/apache-ca.pem \ /etc/pki/ca-trust/source/anchors/3rd-party-ca-cert.pem update-ca-trust Restart the ovirt-provider-ovn service: # systemctl restart ovirt-provider-ovn.service Restart the ovirt-imageio service: # systemctl restart ovirt-imageio.service Restart the ovirt-engine service: # systemctl restart ovirt-engine.service If you are using a self-hosted engine, turn off global maintenance mode. # hosted-engine --set-maintenance --mode=none Your users can now connect to the Administration Portal and VM Portal, without seeing a warning about the authenticity of the certificate used to encrypt HTTPS traffic.