[ovirt-users] Replacing Certificates in hosted-engine cluster

Martin Perina mperina at redhat.com
Thu Sep 29 12:12:34 UTC 2016

On Thu, Sep 29, 2016 at 1:09 PM, Joshua Doll <joshua.doll at gmail.com> wrote:

> If I have two CAs both claiming to be the root CA for a given Domain,
> essentially both claiming to be the same CA, this won't cause issues with
> communication between the engine and the two hosts? Does the CA used for
> communication between the hosts and the engine only exist in some protected
> trust store that is the only consulted source for this communication?

​No, if you want to use custom CA for HTTPS, it will not change anyhting on
internal CA used for engine-hosts communications. Custom CA can be used
only for HTTPS certificates and when custom CA is configured properly we
use different truststore for HTTPS than for engine-host communication.

> Thanks, Josh
> On Thu, Sep 29, 2016, 6:53 AM Martin Perina <mperina at redhat.com> wrote:
>> Hi,
>> by default engine uses its own CA to sign certificates for HTTPS access
>> and for engine-host communications. You can use your own CA only for HTTS
>> certification.
>> So if you are using oVirt 4.0 and you want to start to use custom CA for
>> HTTPS certificates please take a look at Doc Text in:
>> https://bugzilla.redhat.com/show_bug.cgi?id=1336838
>> https://bugzilla.redhat.com/show_bug.cgi?id=1313379
>> @Didi, are there any other steps required for hosted engine regarding
>> custom CA?
>> Thanks
>> Martin Perina
>> On Wed, Sep 28, 2016 at 1:07 PM, Joshua Doll <joshua.doll at gmail.com>
>> wrote:
>>> Hi, I have a two node cluster running a hosted-engine setup. I have
>>> stood up an enterprise CA and would like to replace the ovirt self signed
>>> certificates. I can't find a list of all the certificates online. Is there
>>> a list, or can someone point me in the right direction?
>>> Thanks, Josh
>>> _______________________________________________
>>> Users mailing list
>>> Users at ovirt.org
>>> http://lists.ovirt.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20160929/c7ae1a91/attachment-0001.html>

More information about the Users mailing list