[Users] replacing self-signed certificates
thomas.suckow at pnnl.gov
Wed Nov 20 18:00:07 UTC 2013
I don't know about the native SPICE client, but here is what I did for
apache and the websocket proxy:
In /etc/httpd/conf.d/ssl.conf it lists
Those are the files you need to replace for the web interface. My certs
were combined, so I actually only use SSLCertificateFile and
NOTE: If you modify ssl.conf, the path
/etc/pki/ovirt-engine/apache-ca.pem is used by ovirt-iso-uploader.
Uploads will fail unless you replace/symlink that file or specify a CA
certificate on the command line. I actually linked to my chain file and
it seems to be happy.
/etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf defines the
The websocket proxy needs a combined certificate file with your cert and
the entire chain for SSL_CERTIFICATE
SSL_KEY is just the unencrypted key, and it MUST be accessible by the
As for spice, I am not sure, I am guessing it is
Not sure where they are referenced except by the websocket proxy.
More information about the Users