Hello all- I am looking for a methodology to force oVirt to use certs/keys managed and deployed externally. These are automated by our various automation systems and are configured to match our security policies. Rogue and/or non-transparent and/or standalone CAs in our org do not comply with our security policy. If I pre-deploy certificates and keys, does oVirt engine still need to be a CA? Similarly, our encryption policy requires use of RSA 4096 or ED25519 for SSH. This, as I understand it, is also not compatible with the RSA 2048 generated/used by the engine's internal CA. Is SSHing to this new host using this key necessary, or can I externally enroll a new host into a cluster or - if not - use different SSH key via the engine (likely derived from the above/below-mentioned certs, which may be RSA 4096)? Essentially, could I: 1. Pre-provision certificates and keys in /etc/pki/ovirt-*/ with the appropriate filenames<https://www.ovirt.org/develop/release-management/features/infra/pki.html#file-locations> 2. Run engine-setup for the first​ time (using an answers file)? Will engine-setup balk at the existence of those files, silently overwrite them, or use them? Thanks in advance. Brent Saner SENIOR SYSTEMS ENGINEER Follow us on LinkedIn! brent.saner@netfire.com 855-696-3834 Ext. 110 www.netfire.com