Re: [Users] replacing self-signed certificates

I don't know about the native SPICE client, but here is what I did for apache and the websocket proxy: In /etc/httpd/conf.d/ssl.conf it lists SSLCertificateFile SSLCertificateKeyFile SSLCertificateChainFile SSLCACertificateFile Those are the files you need to replace for the web interface. My certs were combined, so I actually only use SSLCertificateFile and SSLCertificateChainFile NOTE: If you modify ssl.conf, the path /etc/pki/ovirt-engine/apache-ca.pem is used by ovirt-iso-uploader. Uploads will fail unless you replace/symlink that file or specify a CA certificate on the command line. I actually linked to my chain file and it seems to be happy. Websocket Proxy: /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf defines the certificates. The websocket proxy needs a combined certificate file with your cert and the entire chain for SSL_CERTIFICATE SSL_KEY is just the unencrypted key, and it MUST be accessible by the ovirt user. As for spice, I am not sure, I am guessing it is /etc/pki/ovirt-engine/keys/engine_id_rsa and /etc/pki/ovirt-engine/keys/ certs/engine.cer Not sure where they are referenced except by the websocket proxy. -- Thomas _______________________________________________ Users mailing list Users(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/users