On Thu, Sep 26, 2019 at 3:19 AM TomK <tomkcpr@mdevsys.com> wrote:
Hey All,
Would anyone have a more recent wiki on changing all certificates, including VDSM ones?
Have this page but it's for version 3.
I wasn't aware of this page. It's quite old, but mostly correct. However, if you do not mind host downtime, it's much easier to re-enroll certificates for all hosts, instead of the manual steps mentioned there (that are quite old, perhaps not up-to-date).
Thinking the process didn't change much but wanted to ask if there's anything more recent floating around.
I am not aware of anything specifically doing what you want. Related pages you might want to check: 1. Section "Replacing SHA-1 Certificates with SHA-256 Certificates" of: https://www.ovirt.org/documentation/upgrade-guide/chap-Post-Upgrade_Tasks.ht... 2. Only now I noticed that it does not mention the option --san for setting SubjectAltName. It does appear here: https://www.ovirt.org/documentation/admin-guide/chap-Utilities.html See also: https://www.ovirt.org/develop/release-management/features/infra/pki-renew.ht... So I guess (didn't try recently) that if you follow the existing procedures and generate pki without --san, a later engine-setup will prompt you to renew. Best regards, -- Didi