[ovirt-users] Regenerating new SSL certificates for ovirt-engine

Alon Bar-Lev alonbl at redhat.com
Thu Apr 10 10:26:48 UTC 2014


Thank you Sven,

I would avoid the engine rename process.

Trey,

If the internal network is not exposed to the Internet, only the engine SSL certificate and key may be re-enrolled.

If you did not issue your own SSL certificate for the apache, execute the following to create a new key/certificate out of the engine internal CA, replace @PASSWROD@ with your own.

# cp -a /etc/pki/ovirt-engine "/etc/pki/ovirt-engine.$(date "+%Y%m%d")"
# SUBJECT="$(openssl x509 -subject -noout -in /etc/pki/ovirt-engine/certs/apache.cer | sed 's/subject= //')"
# /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh --name=apache --password="@PASSWORD@" --subject="${SUBJECT}"
# openssl pkcs12 -passin "pass:@PASSWORD@" -nokeys -in /etc/pki/ovirt-engine/keys/apache.p12 > /etc/pki/ovirt-engine/certs/apache.cer
# openssl pkcs12 -passin "pass:@PASSWORD@" -nocerts -nodes -in /etc/pki/ovirt-engine/keys/apache.p12 > /etc/pki/ovirt-engine/keys/apache.key.nopass
# chmod 0600 /etc/pki/ovirt-engine/keys/apache.key.nopass

And restart apache.

Regards,
Alon

----- Original Message -----
> From: "Sven Kieske" <S.Kieske at mittwald.de>
> To: users at ovirt.org
> Sent: Thursday, April 10, 2014 12:41:17 PM
> Subject: Re: [ovirt-users] Regenerating new SSL certificates for ovirt-engine
> 
> Hi,
> 
> as a first step, make sure to read and understand this page:
> http://www.ovirt.org/Features/PKI
> 
> There are different certificates for different things.
> 
> I have sadly no time to elaborate on this difficult topic.
> 
> But you may want restrict the access to your engine
> from the network side (firewalls, routing, etc)
> anyway, to minimize the impact of such vulns.
> 
> HTH
> 
> PS: Some instructions are also here if I remember
> correctly:
> http://www.ovirt.org/Changing_Engine_Hostname
> 
> Am 09.04.2014 17:42, schrieb Trey Dockendorf:
> > Given the recent OpenSSL heartbleed vulnerability, I would like to
> > regenerate the certificates used by my ovirt-engine server.  What are
> > the steps to regenerate the certificates, and which certificates
> > should be regenerated?  My ovirt-engine host is on our campus LAN,
> > which offers no real protection, so I would consider it public facing
> > despite not being routable across the WAN.  At minimum I'd like to
> > regenerate the certificates used by Apache.
> > 
> > I'd be happy to document this on the wiki, as the only items I could
> > find were related to host renaming.
> > 
> > Thanks,
> > - Trey
> 
> 
> --
> Mit freundlichen Grüßen / Regards
> 
> Sven Kieske
> 
> Systemadministrator
> Mittwald CM Service GmbH & Co. KG
> Königsberger Straße 6
> 32339 Espelkamp
> T: +49-5772-293-100
> F: +49-5772-293-333
> https://www.mittwald.de
> Geschäftsführer: Robert Meyer
> St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
> Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 



More information about the Users mailing list