I have checked the solution and it works, apart from the console feature of the virtual machine. In my case, once a got control over the host, migrated all the vms and then Maintenance and then Enroll Certificate. So: an updated version ```     set -x ## Make the script echo everything out, so if it fails you know where     set -e ## Make the script STOP on any error     set my_date="$(date +"%Y%m%d%H%M%S")"     # Backup the existing CA files     /bin/cp -p /etc/pki/ovirt-engine/private/ca.pem     /etc/pki/ovirt-engine/private/ca.pem.$my_date     /bin/cp -p /etc/pki/ovirt-engine/ca.pem{,.$my_date}     /bin/mv /etc/pki/ovirt-engine/certs/ca.der{,.$my_date}     # Sign the key     openssl x509 -signkey /etc/pki/ovirt-engine/private/ca.pem -in     /etc/pki/ovirt-engine/ca.pem -out /etc/pki/ovirt-engine/ca.pem.new -days 3650 -sha256     openssl x509 -in /etc/pki/ovirt-engine/ca.pem.new -text >     /etc/pki/ovirt-engine/ca.pem.new.full     # Put the files into place     /bin/mv -f /etc/pki/ovirt-engine/ca.pem.new.full /etc/pki/ovirt-engine/ca.pem     /bin/cp -p /etc/pki/ovirt-engine/ca.pem.new /etc/pki/ovirt-engine/certs/ca.der     ```     Now you need to copy the new CA file over to the host:     Source: ENGINE `/etc/pki/ovirt-engine/ca.pem`     Dest: HOST `/tmp/new-ca.pem`     ########### On the oVirt Host ###########     # Create a CSR using the information from the existing certificate and the existing key:     openssl x509 -x509toreq -in /etc/pki/libvirt/clientcert.pem -out /tmp/HOST.csr -signkey /etc/pki/libvirt/private/clientkey.pem     Now you need to copy the new CA file over to the host:     Source: HOST `/tmp/HOST.csr`     Dest: ENGINE `/etc/pki/ovirt-engine/requests/full.hostname.com.req`     ########### On the ENGINE HOST ###########     # Now sign it:     /usr/share/ovirt-engine/bin/pki-enroll-request.sh --name=full.hostname.com     # NB -- adding --san results in an error: --san=host.na.me (So no Subject Alternate     Names)     Now you need to copy the new Certificate file over to the host:     Source: ENGINE /etc/pki/ovirt-engine/certs/full.hostname.com.cer     Dest: HOST /tmp/new-cert.pem     ########### On the oVirt Host ########### (see bellow the written script) #!/bin/bash #set -x set -e mydate="$(date +"%Y%m%d%H%M%S")" echo "[.] reference ${mydate}" for x in /tmp/new-ca.pem  /tmp/new-cert.pem ; do     echo -n "[.] checking $x"     if [ ! -e "$x" ]; then           echo "[not found]"           exit     else         echo "[found]"     fi done for x in /etc/pki/libvirt/clientcert.pem /etc/pki/vdsm/certs/vdsmcert.pem /etc/pki/vdsm/libvirt-migrate/server-cert.pem /etc/pki/vdsm/libvirt-spice/server-cert.pem /etc/pki/vdsm/libvirt-vnc/server-cert.pem; do     echo -n "copying $x to ${x}.${mydate}"     /bin/mv -n $x ${x}.${mydate}     echo "[done]";     echo -n "[.] copying /tmp/new-cert.pem to $x"     /bin/cp /tmp/new-cert.pem ${x}     echo "[done]"     echo -n "[.] setting permissions to $x 644 root:kvm"     chmod 644 ${x}     chown root:kvm ${x}     echo "[done]" done for x in /etc/pki/vdsm/libvirt-migrate/ca-cert.pem /etc/pki/vdsm/certs/cacert.pem /etc/pki/vdsm/libvirt-vnc/ca-cert.pem /etc/pki/vdsm/libvirt-spice/ca-cert.pem /etc/pki/CA/cacert.pem; do     echo -n "copying $x to ${x}.${mydate}"     /bin/mv -n $x ${x}.${mydate}     echo "[done]"     echo -n "[.] copying /tmp/new-ca.pem to $x"     /bin/cp /tmp/new-ca.pem ${x}     echo "[done]";     echo -n "[.] setting permissions to $x 644 root:kvm"     chmod 644 ${x}     chown root:kvm ${x}     echo "[done]" done for x in /etc/pki/vdsm/keys/vdsmkey.pem; do     echo -n "copying $x to ${x}.${mydate}"     /bin/mv -n $x ${x}.${mydate}     echo "[done]"     echo -n "[.] copying /etc/pki/libvirt/private/clientkey.pem to $x"     /bin/cp /etc/pki/libvirt/private/clientkey.pem ${x}     echo "[done]";     echo -n "[.] setting permissions to $x 644 root:kvm"     chmod 644 ${x}     chown root:kvm ${x}     echo "[done]" done echo "[.] Checks " openssl x509 -in /etc/pki/libvirt/clientcert.pem -noout -dates openssl x509 -in /etc/pki/vdsm/certs/cacert.pem -noout -dates openssl x509 -in /etc/pki/vdsm/certs/vdsmcert.pem -noout -dates openssl x509 -in /etc/pki/vdsm/libvirt-migrate/ca-cert.pem -noout -dates openssl x509 -in /etc/pki/vdsm/libvirt-migrate/client-cert.pem -noout -dates openssl x509 -in /etc/pki/vdsm/libvirt-migrate/server-cert.pem -noout -dates openssl x509 -in /etc/pki/vdsm/libvirt-spice/ca-cert.pem -noout -dates openssl x509 -in /etc/pki/vdsm/libvirt-spice/server-cert.pem -noout -dates ```` Note: I whould backup the entire pki folder on both node and engine.