Re: [Users] replacing self-signed certificates

Wed, 20 Nov 2013 11:55:15 -0800 

On 11/20/2013 08:58 PM, i iordanov wrote:

Thanks Alon and Thomas!

iordan


iordan - maybe wikify for future generations?

thanks,
   Itamar




On Wed, Nov 20, 2013 at 1:51 PM, Alon Bar-Lev <alo...@redhat.com
<mailto:alo...@redhat.com>> wrote:



    ----- Original Message -----
     > From: "i iordanov" <iiorda...@gmail.com <mailto:iiorda...@gmail.com>>
     > To: users@ovirt.org <mailto:users@ovirt.org>
     > Sent: Wednesday, November 20, 2013 6:50:04 PM
     > Subject: [Users] replacing self-signed certificates
     >
     > Hello,
     >
     > I searched around but could not come up with specific
    instructions for how to
     > replace the self-signed certificates in an oVirt 3.3 setup with
     > non-self-signed certificates. I need to ensure that my
    oVirt/SPICE client
     > actually does the right thing when connecting to a machine with a
    3rd party
     > signed certificate.
     >
     > Presumably, I would be able to adapt the instructions provided here:
     > http://www.ovirt.org/How_to_change_engine_host_name
     >
     > right? Which steps need to be modified? If I hammer at it long
    enough, I
     > would probably succeed in getting it to work at some point, but I
    was hoping
     > for somebody more experienced to help me over the initial hurdle.
     >
     > In case I have to reinstall to use non-self-signed certificates,
    how do I go
     > about preparing the environment prior to running engine-setup?

    Usually there is no need to replace any other certificate than the
    certificate that is used for apache frontend.

    No need to touch the spice and other certificates and keys.

    Replace /etc/pki/ovirt-engine/apache-ca.pem with your 3rd party CA
    certificate chain.
    Replace /etc/pki/ovirt-engine/keys/apache.p12 with key store.
    Extract key from apache.p12 to
    /etc/pki/ovirt-engine/keys/apache.key.nopass do not protect with
    password.
    Extract certificate from apache.p12 to
    /etc/pki/ovirt-engine/certs/apache.cer

    Alternatively, you can configure the mod_ssl as you wish.

    Once you do this, if you have ovirt-node already installed, delete
    /etc/pki/vdsm/certs/engine_web_ca.pem to allow fetch ssl trust and
    allow registration in future.

    Regards,
    Alon Bar-Lev.




--
The conscious mind has only one thread of execution.


_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users



_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Reply via email to