[ovirt-users] Regenerating new SSL certificates for ovirt-engine

Trey Dockendorf treydock at gmail.com
Thu Apr 10 22:54:59 UTC 2014


Thank you for the information.

Our internal network is isolated away from the campus LAN, so these
steps should do exactly what I need.  Will attempt as soon as all
systems have OpenSSL updated and document what I can on wiki.

Thanks,
- Trey

On Thu, Apr 10, 2014 at 5:26 AM, Alon Bar-Lev <alonbl at redhat.com> wrote:
>
> Thank you Sven,
>
> I would avoid the engine rename process.
>
> Trey,
>
> If the internal network is not exposed to the Internet, only the engine SSL certificate and key may be re-enrolled.
>
> If you did not issue your own SSL certificate for the apache, execute the following to create a new key/certificate out of the engine internal CA, replace @PASSWROD@ with your own.
>
> # cp -a /etc/pki/ovirt-engine "/etc/pki/ovirt-engine.$(date "+%Y%m%d")"
> # SUBJECT="$(openssl x509 -subject -noout -in /etc/pki/ovirt-engine/certs/apache.cer | sed 's/subject= //')"
> # /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh --name=apache --password="@PASSWORD@" --subject="${SUBJECT}"
> # openssl pkcs12 -passin "pass:@PASSWORD@" -nokeys -in /etc/pki/ovirt-engine/keys/apache.p12 > /etc/pki/ovirt-engine/certs/apache.cer
> # openssl pkcs12 -passin "pass:@PASSWORD@" -nocerts -nodes -in /etc/pki/ovirt-engine/keys/apache.p12 > /etc/pki/ovirt-engine/keys/apache.key.nopass
> # chmod 0600 /etc/pki/ovirt-engine/keys/apache.key.nopass
>
> And restart apache.
>
> Regards,
> Alon
>
> ----- Original Message -----
>> From: "Sven Kieske" <S.Kieske at mittwald.de>
>> To: users at ovirt.org
>> Sent: Thursday, April 10, 2014 12:41:17 PM
>> Subject: Re: [ovirt-users] Regenerating new SSL certificates for ovirt-engine
>>
>> Hi,
>>
>> as a first step, make sure to read and understand this page:
>> http://www.ovirt.org/Features/PKI
>>
>> There are different certificates for different things.
>>
>> I have sadly no time to elaborate on this difficult topic.
>>
>> But you may want restrict the access to your engine
>> from the network side (firewalls, routing, etc)
>> anyway, to minimize the impact of such vulns.
>>
>> HTH
>>
>> PS: Some instructions are also here if I remember
>> correctly:
>> http://www.ovirt.org/Changing_Engine_Hostname
>>
>> Am 09.04.2014 17:42, schrieb Trey Dockendorf:
>> > Given the recent OpenSSL heartbleed vulnerability, I would like to
>> > regenerate the certificates used by my ovirt-engine server.  What are
>> > the steps to regenerate the certificates, and which certificates
>> > should be regenerated?  My ovirt-engine host is on our campus LAN,
>> > which offers no real protection, so I would consider it public facing
>> > despite not being routable across the WAN.  At minimum I'd like to
>> > regenerate the certificates used by Apache.
>> >
>> > I'd be happy to document this on the wiki, as the only items I could
>> > find were related to host renaming.
>> >
>> > Thanks,
>> > - Trey
>>
>>
>> --
>> Mit freundlichen Grüßen / Regards
>>
>> Sven Kieske
>>
>> Systemadministrator
>> Mittwald CM Service GmbH & Co. KG
>> Königsberger Straße 6
>> 32339 Espelkamp
>> T: +49-5772-293-100
>> F: +49-5772-293-333
>> https://www.mittwald.de
>> Geschäftsführer: Robert Meyer
>> St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
>> Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users



More information about the Users mailing list