[Users] replacing self-signed certificates

i iordanov iiordanov at gmail.com
Wed Nov 20 18:58:40 UTC 2013


Thanks Alon and Thomas!

iordan


On Wed, Nov 20, 2013 at 1:51 PM, Alon Bar-Lev <alonbl at redhat.com> wrote:

>
>
> ----- Original Message -----
> > From: "i iordanov" <iiordanov at gmail.com>
> > To: users at ovirt.org
> > Sent: Wednesday, November 20, 2013 6:50:04 PM
> > Subject: [Users] replacing self-signed certificates
> >
> > Hello,
> >
> > I searched around but could not come up with specific instructions for
> how to
> > replace the self-signed certificates in an oVirt 3.3 setup with
> > non-self-signed certificates. I need to ensure that my oVirt/SPICE client
> > actually does the right thing when connecting to a machine with a 3rd
> party
> > signed certificate.
> >
> > Presumably, I would be able to adapt the instructions provided here:
> > http://www.ovirt.org/How_to_change_engine_host_name
> >
> > right? Which steps need to be modified? If I hammer at it long enough, I
> > would probably succeed in getting it to work at some point, but I was
> hoping
> > for somebody more experienced to help me over the initial hurdle.
> >
> > In case I have to reinstall to use non-self-signed certificates, how do
> I go
> > about preparing the environment prior to running engine-setup?
>
> Usually there is no need to replace any other certificate than the
> certificate that is used for apache frontend.
>
> No need to touch the spice and other certificates and keys.
>
> Replace /etc/pki/ovirt-engine/apache-ca.pem with your 3rd party CA
> certificate chain.
> Replace /etc/pki/ovirt-engine/keys/apache.p12 with key store.
> Extract key from apache.p12 to
> /etc/pki/ovirt-engine/keys/apache.key.nopass do not protect with password.
> Extract certificate from apache.p12 to
> /etc/pki/ovirt-engine/certs/apache.cer
>
> Alternatively, you can configure the mod_ssl as you wish.
>
> Once you do this, if you have ovirt-node already installed, delete
> /etc/pki/vdsm/certs/engine_web_ca.pem to allow fetch ssl trust and allow
> registration in future.
>
> Regards,
> Alon Bar-Lev.
>



-- 
The conscious mind has only one thread of execution.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20131120/69a77a21/attachment-0001.html>


More information about the Users mailing list