[Users] replacing self-signed certificates

Thomas Suckow thomas.suckow at pnnl.gov
Wed Nov 20 18:00:07 UTC 2013


I don't know about the native SPICE client, but here is what I did for 
apache and the websocket proxy:

In /etc/httpd/conf.d/ssl.conf it lists
SSLCertificateFile
SSLCertificateKeyFile
SSLCertificateChainFile
SSLCACertificateFile

Those are the files you need to replace for the web interface. My certs 
were combined, so I actually only use SSLCertificateFile and 
SSLCertificateChainFile

NOTE: If you modify ssl.conf, the path 
/etc/pki/ovirt-engine/apache-ca.pem is used by ovirt-iso-uploader. 
Uploads will fail unless you replace/symlink that file or specify a CA 
certificate on the command line. I actually linked to my chain file and 
it seems to be happy.



Websocket Proxy:

/etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf defines the 
certificates.

The websocket proxy needs a combined certificate file with your cert and 
the entire chain for SSL_CERTIFICATE
SSL_KEY is just the unencrypted key, and it MUST be accessible by the 
ovirt user.



As for spice, I am not sure, I am guessing it is 
/etc/pki/ovirt-engine/keys/engine_id_rsa  and 
/etc/pki/ovirt-engine/keys/certs/engine.cer
Not sure where they are referenced except by the websocket proxy.

--
Thomas



More information about the Users mailing list