On Fri, Aug 6, 2021 at 1:22 AM <louisb(a)ameritech.net> wrote:
I obtained the Certificate from the link on from the ovirt console main page.
Which one? The one with the text "Engine CA Certificate", linking at:
https://$ENGINE_FQDN/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA
?
The certificate has been save to storage. I attempt to import the
certificate into a FireFox Browser and get the following message:
Please enter the password that was used to encrypt this certificate backup:
It should not have a password.
I enter in the same password used during the installation of ovirt. After entering in
the password the following message is displayed:
Failed to decode the file. Either it is not in PKCS #12 format, has been corrupted, or
the password you entered was incorrect.
This link should not point at a PKCS#12 file.
Please clarify exactly what you did.
You can download the file from that link and look at it - it should
start with '-----BEGIN CERTIFICATE-----' and end with '-----END
CERTIFICATE-----'. Is that what you see?
What could be the problem here, I don't have another password to enter?
I am not sure. Either it's a bug somewhere, or you did something
wrong. What's the output of 'rpm -q ovirt-engine'?
For reference: The PKCS#12 files inside /etc/pki/ovirt-engine/keys
(with .p12 suffix) are encrypted with the hard-coded password
'mypass'. I do not think we have a document for how to change that,
although it might not be that hard in principle. The files are
protected with unix permissions, the password is not part of the
protection. And in any case, the web service should IMO never serve
one of these files.
Best regards,
--
Didi