[Users] replacing self-signed certificates

Itamar Heim iheim at redhat.com
Wed Nov 20 19:54:35 UTC 2013


On 11/20/2013 08:58 PM, i iordanov wrote:
> Thanks Alon and Thomas!
>
> iordan

iordan - maybe wikify for future generations?

thanks,
    Itamar

>
>
> On Wed, Nov 20, 2013 at 1:51 PM, Alon Bar-Lev <alonbl at redhat.com
> <mailto:alonbl at redhat.com>> wrote:
>
>
>
>     ----- Original Message -----
>      > From: "i iordanov" <iiordanov at gmail.com <mailto:iiordanov at gmail.com>>
>      > To: users at ovirt.org <mailto:users at ovirt.org>
>      > Sent: Wednesday, November 20, 2013 6:50:04 PM
>      > Subject: [Users] replacing self-signed certificates
>      >
>      > Hello,
>      >
>      > I searched around but could not come up with specific
>     instructions for how to
>      > replace the self-signed certificates in an oVirt 3.3 setup with
>      > non-self-signed certificates. I need to ensure that my
>     oVirt/SPICE client
>      > actually does the right thing when connecting to a machine with a
>     3rd party
>      > signed certificate.
>      >
>      > Presumably, I would be able to adapt the instructions provided here:
>      > http://www.ovirt.org/How_to_change_engine_host_name
>      >
>      > right? Which steps need to be modified? If I hammer at it long
>     enough, I
>      > would probably succeed in getting it to work at some point, but I
>     was hoping
>      > for somebody more experienced to help me over the initial hurdle.
>      >
>      > In case I have to reinstall to use non-self-signed certificates,
>     how do I go
>      > about preparing the environment prior to running engine-setup?
>
>     Usually there is no need to replace any other certificate than the
>     certificate that is used for apache frontend.
>
>     No need to touch the spice and other certificates and keys.
>
>     Replace /etc/pki/ovirt-engine/apache-ca.pem with your 3rd party CA
>     certificate chain.
>     Replace /etc/pki/ovirt-engine/keys/apache.p12 with key store.
>     Extract key from apache.p12 to
>     /etc/pki/ovirt-engine/keys/apache.key.nopass do not protect with
>     password.
>     Extract certificate from apache.p12 to
>     /etc/pki/ovirt-engine/certs/apache.cer
>
>     Alternatively, you can configure the mod_ssl as you wish.
>
>     Once you do this, if you have ovirt-node already installed, delete
>     /etc/pki/vdsm/certs/engine_web_ca.pem to allow fetch ssl trust and
>     allow registration in future.
>
>     Regards,
>     Alon Bar-Lev.
>
>
>
>
> --
> The conscious mind has only one thread of execution.
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>




More information about the Users mailing list