[ovirt-users] Regenerating SSL keys
Jamie Lawrence
jlawrence at squaretrade.com
Tue May 16 17:44:19 UTC 2017
> On May 14, 2017, at 3:35 AM, Yedidyah Bar David <didi at redhat.com> wrote:
> In addition to Yaniv's explanation below, can you explain why it was
> bad? That is, what software/process was broken by it? Please note that
> this is the CN of the CA's cert, not of the individual certs its signs
> (such as the one for the web server for https) - these have the FQDN
> you supplied to engine-setup as their CN.
You're absolutely right; my apologies for that red herring. I confused myself after too long at the keyboard.
>> The 5 random digits are supposed to be OK, and are actually a feature - it
>> ensures uniqueness if you re-generate (most likely reinstall your Engine),
>> as otherwise some browsers fail miserably if a CA cert mismatches what they
>> know.
>>
>> SAN is being worked on - we are aware of Chrome 58 now requiring it.
>> I sincerely hope to see it in 4.1.2 (see https://bugzilla.redhat.com/1449084
>> ).
>
> Indeed, and see my comment 5 there for how to add SAN to an existing
> setup, _after_ you upgrade to 4.1.2 when it's out.
Great, that's handy.
> See also:
>
> https://www.ovirt.org/documentation/how-to/networking/changing-engine-hostname/
Thanks for the pointer! That was the missing piece for me; my Google-fu failed to uncover it. I think I have what I need.
Thanks again to both of you,
-j
More information about the Users
mailing list