[Users] replacing self-signed certificates
iheim at redhat.com
Wed Nov 20 19:54:35 UTC 2013
On 11/20/2013 08:58 PM, i iordanov wrote:
> Thanks Alon and Thomas!
iordan - maybe wikify for future generations?
> On Wed, Nov 20, 2013 at 1:51 PM, Alon Bar-Lev <alonbl at redhat.com
> <mailto:alonbl at redhat.com>> wrote:
> ----- Original Message -----
> > From: "i iordanov" <iiordanov at gmail.com <mailto:iiordanov at gmail.com>>
> > To: users at ovirt.org <mailto:users at ovirt.org>
> > Sent: Wednesday, November 20, 2013 6:50:04 PM
> > Subject: [Users] replacing self-signed certificates
> > Hello,
> > I searched around but could not come up with specific
> instructions for how to
> > replace the self-signed certificates in an oVirt 3.3 setup with
> > non-self-signed certificates. I need to ensure that my
> oVirt/SPICE client
> > actually does the right thing when connecting to a machine with a
> 3rd party
> > signed certificate.
> > Presumably, I would be able to adapt the instructions provided here:
> > http://www.ovirt.org/How_to_change_engine_host_name
> > right? Which steps need to be modified? If I hammer at it long
> enough, I
> > would probably succeed in getting it to work at some point, but I
> was hoping
> > for somebody more experienced to help me over the initial hurdle.
> > In case I have to reinstall to use non-self-signed certificates,
> how do I go
> > about preparing the environment prior to running engine-setup?
> Usually there is no need to replace any other certificate than the
> certificate that is used for apache frontend.
> No need to touch the spice and other certificates and keys.
> Replace /etc/pki/ovirt-engine/apache-ca.pem with your 3rd party CA
> certificate chain.
> Replace /etc/pki/ovirt-engine/keys/apache.p12 with key store.
> Extract key from apache.p12 to
> /etc/pki/ovirt-engine/keys/apache.key.nopass do not protect with
> Extract certificate from apache.p12 to
> Alternatively, you can configure the mod_ssl as you wish.
> Once you do this, if you have ovirt-node already installed, delete
> /etc/pki/vdsm/certs/engine_web_ca.pem to allow fetch ssl trust and
> allow registration in future.
> Alon Bar-Lev.
> The conscious mind has only one thread of execution.
> Users mailing list
> Users at ovirt.org
More information about the Users