[ovirt-users] Re: Changing certificates for oVirt 4.3.5
On Thu, Sep 26, 2019 at 3:19 AM TomK <tomkcpr(a)mdevsys.com> wrote:
Hey All,
Would anyone have a more recent wiki on changing all certificates,
including VDSM ones?
Have this page but it's for version 3.
https://access.redhat.com/solutions/2409751
I wasn't aware of this page. It's quite old, but mostly correct.
However, if you do not mind host downtime, it's much easier to re-enroll
certificates for all hosts, instead of the manual steps mentioned there
(that are quite old, perhaps not up-to-date).
Thinking the process didn't change much but wanted to ask if there's
anything more recent floating around.
I am not aware of anything specifically doing what you want.
Related pages you might want to check:
1. Section "Replacing SHA-1 Certificates with SHA-256 Certificates" of:
https://www.ovirt.org/documentation/upgrade-guide/chap-Post-Upgrade_Tasks...
2. Only now I noticed that it does not mention the option --san for
setting SubjectAltName. It does appear here:
https://www.ovirt.org/documentation/admin-guide/chap-Utilities.html
See also:
https://www.ovirt.org/develop/release-management/features/infra/pki-renew...
So I guess (didn't try recently) that if you follow the existing procedures
and generate pki without --san, a later engine-setup will prompt you to renew.
Best regards,
--
Didi