[Users] replacing self-signed certificates
Itamar Heim
iheim at redhat.com
Wed Nov 20 19:54:35 UTC 2013
On 11/20/2013 08:58 PM, i iordanov wrote:
> Thanks Alon and Thomas!
>
> iordan
iordan - maybe wikify for future generations?
thanks,
Itamar
>
>
> On Wed, Nov 20, 2013 at 1:51 PM, Alon Bar-Lev <alonbl at redhat.com
> <mailto:alonbl at redhat.com>> wrote:
>
>
>
> ----- Original Message -----
> > From: "i iordanov" <iiordanov at gmail.com <mailto:iiordanov at gmail.com>>
> > To: users at ovirt.org <mailto:users at ovirt.org>
> > Sent: Wednesday, November 20, 2013 6:50:04 PM
> > Subject: [Users] replacing self-signed certificates
> >
> > Hello,
> >
> > I searched around but could not come up with specific
> instructions for how to
> > replace the self-signed certificates in an oVirt 3.3 setup with
> > non-self-signed certificates. I need to ensure that my
> oVirt/SPICE client
> > actually does the right thing when connecting to a machine with a
> 3rd party
> > signed certificate.
> >
> > Presumably, I would be able to adapt the instructions provided here:
> > http://www.ovirt.org/How_to_change_engine_host_name
> >
> > right? Which steps need to be modified? If I hammer at it long
> enough, I
> > would probably succeed in getting it to work at some point, but I
> was hoping
> > for somebody more experienced to help me over the initial hurdle.
> >
> > In case I have to reinstall to use non-self-signed certificates,
> how do I go
> > about preparing the environment prior to running engine-setup?
>
> Usually there is no need to replace any other certificate than the
> certificate that is used for apache frontend.
>
> No need to touch the spice and other certificates and keys.
>
> Replace /etc/pki/ovirt-engine/apache-ca.pem with your 3rd party CA
> certificate chain.
> Replace /etc/pki/ovirt-engine/keys/apache.p12 with key store.
> Extract key from apache.p12 to
> /etc/pki/ovirt-engine/keys/apache.key.nopass do not protect with
> password.
> Extract certificate from apache.p12 to
> /etc/pki/ovirt-engine/certs/apache.cer
>
> Alternatively, you can configure the mod_ssl as you wish.
>
> Once you do this, if you have ovirt-node already installed, delete
> /etc/pki/vdsm/certs/engine_web_ca.pem to allow fetch ssl trust and
> allow registration in future.
>
> Regards,
> Alon Bar-Lev.
>
>
>
>
> --
> The conscious mind has only one thread of execution.
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
More information about the Users
mailing list