[Users] replace engine hostname /pki

Sven Kieske S.Kieske at mittwald.de
Wed Jan 29 14:09:52 UTC 2014


Thanks for the link,

I will work through the page and see if any questions pop up.
also thanks to yedidyah for the clarification!

Am 29.01.2014 14:23, schrieb Alon Bar-Lev:
> 
> 
> ----- Original Message -----
>> From: "Yedidyah Bar David" <didi at redhat.com>
>> To: "Sven Kieske" <S.Kieske at mittwald.de>
>> Cc: "Users at ovirt.org List" <Users at ovirt.org>, "Alon Bar-Lev" <alonbl at redhat.com>
>> Sent: Wednesday, January 29, 2014 3:12:21 PM
>> Subject: Re: [Users] replace engine hostname /pki
>>
>> (Following a discussion with Alon)
> 
> Hi,
> 
> I hope you find this[1] helpful, if not we should work to make it better.
> 
> Thanks,
> 
> [1] http://www.ovirt.org/Features/PKI
> 
>>
>> ----- Original Message -----
>>> From: "Sven Kieske" <S.Kieske at mittwald.de>
>>> To: "Yedidyah Bar David" <didi at redhat.com>
>>> Cc: "Users at ovirt.org List" <Users at ovirt.org>
>>> Sent: Wednesday, January 29, 2014 1:24:40 PM
>>> Subject: Re: [Users] replace engine hostname /pki
>>>
>>> Additional question regarding the certificates/pki:
>>>
>>> the wikipage states:
>>>
>>> "The bigger concern is with the engine's certificate. Currently, to the
>>> best of our knowledge, there is no component that actually checks this
>>> trust."
>>
>> Well, this is not accurate. The trust path _is_ checked, but against the
>> saved ca cert. On host deploy the host saves the ca cert and so can verify
>> the trust path even if the ca's hostname does not exist any more and can't
>> be connected to to get /ca.crt .
>>
>> The point was that if there is something (e.g. spice client, web browser)
>> that checks the trust path, this will fail, if this client did not have the
>> ca cert, or tries to download it again after the rename.
>>
>>> (All three certificates (CA, httpd, engine) are for the Common Name (CN)
>>> whose value is the hostname entered during engine-setup, which is
>>> supposed to be the hostname of the engine's machine, exist in the dns
>>> (forward and reverse records), and point to an IP address of the
>>> engine's machine. )
>>>
>>> Is there a list of values that get checked? e.g. the validity dates
>>> before and after?
>>
>> Yes, these are checked.
>>
>>>
>>> users might run into trouble in 10 years if this gets checked, because
>>> that is the current expiration date.
>>
>> Indeed. If ovirt systems will live 10 years, 1. We'll be very happy :-),
>> 2. all certificates will need to be reissued. You can verify this today
>> by moving the clock.
>>
>>>
>>> if _nothing_ gets checked I wonder why the PKI is used at all ;)
>>>
>>> (I assume at least the keys get checked)
>>
>> Yes.
>>
>> Alon also added: Revocations are not checked. This means that if someone
>> breaks into your engine, there is no simple way to tell the hosts to not
>> trust the old engine key anymore.
>> --
>> Didi
>>
> 
> 
> 

-- 
Mit freundlichen Grüßen / Regards

Sven Kieske

Systemadministrator
Mittwald CM Service GmbH & Co. KG
Königsberger Straße 6
32339 Espelkamp
T: +49-5772-293-100
F: +49-5772-293-333
https://www.mittwald.de
Geschäftsführer: Robert Meyer
St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen


More information about the Users mailing list