Thank you Sven, I would avoid the engine rename process.
Trey, If the internal network is not exposed to the Internet, only the engine SSL certificate and key may be re-enrolled. If you did not issue your own SSL certificate for the apache, execute the following to create a new key/certificate out of the engine internal CA, replace @PASSWROD@ with your own. # cp -a /etc/pki/ovirt-engine "/etc/pki/ovirt-engine.$(date "+%Y%m%d")" # SUBJECT="$(openssl x509 -subject -noout -in /etc/pki/ovirt-engine/certs/apache.cer | sed 's/subject= //')" # /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh --name=apache --password="@PASSWORD@" --subject="${SUBJECT}" # openssl pkcs12 -passin "pass:@PASSWORD@" -nokeys -in /etc/pki/ovirt-engine/keys/apache.p12 > /etc/pki/ovirt-engine/certs/apache.cer # openssl pkcs12 -passin "pass:@PASSWORD@" -nocerts -nodes -in /etc/pki/ovirt-engine/keys/apache.p12 > /etc/pki/ovirt-engine/keys/apache.key.nopass # chmod 0600 /etc/pki/ovirt-engine/keys/apache.key.nopass And restart apache. Regards, Alon ----- Original Message ----- > From: "Sven Kieske" <s.kie...@mittwald.de> > To: users@ovirt.org > Sent: Thursday, April 10, 2014 12:41:17 PM > Subject: Re: [ovirt-users] Regenerating new SSL certificates for ovirt-engine > > Hi, > > as a first step, make sure to read and understand this page: > http://www.ovirt.org/Features/PKI > > There are different certificates for different things. > > I have sadly no time to elaborate on this difficult topic. > > But you may want restrict the access to your engine > from the network side (firewalls, routing, etc) > anyway, to minimize the impact of such vulns. > > HTH > > PS: Some instructions are also here if I remember > correctly: > http://www.ovirt.org/Changing_Engine_Hostname > > Am 09.04.2014 17:42, schrieb Trey Dockendorf: > > Given the recent OpenSSL heartbleed vulnerability, I would like to > > regenerate the certificates used by my ovirt-engine server. What are > > the steps to regenerate the certificates, and which certificates > > should be regenerated? My ovirt-engine host is on our campus LAN, > > which offers no real protection, so I would consider it public facing > > despite not being routable across the WAN. At minimum I'd like to > > regenerate the certificates used by Apache. > > > > I'd be happy to document this on the wiki, as the only items I could > > find were related to host renaming. > > > > Thanks, > > - Trey > > > -- > Mit freundlichen Grüßen / Regards > > Sven Kieske > > Systemadministrator > Mittwald CM Service GmbH & Co. KG > Königsberger Straße 6 > 32339 Espelkamp > T: +49-5772-293-100 > F: +49-5772-293-333 > https://www.mittwald.de > Geschäftsführer: Robert Meyer > St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen > Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen > _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users