Thank you Sven,
I would avoid the engine rename process.
Trey,
If the internal network is not exposed to the Internet, only the engine SSL
certificate and key may be re-enrolled.
If you did not issue your own SSL certificate for the apache, execute the
following to create a new key/certificate out of the engine internal CA,
replace @PASSWROD@ with your own.
# cp -a /etc/pki/ovirt-engine "/etc/pki/ovirt-engine.$(date "+%Y%m%d")"
# SUBJECT="$(openssl x509 -subject -noout -in
/etc/pki/ovirt-engine/certs/apache.cer | sed 's/subject= //')"
# /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh --name=apache
--password="@PASSWORD@" --subject="${SUBJECT}"
# openssl pkcs12 -passin "pass:@PASSWORD@" -nokeys -in
/etc/pki/ovirt-engine/keys/apache.p12 > /etc/pki/ovirt-engine/certs/apache.cer
# openssl pkcs12 -passin "pass:@PASSWORD@" -nocerts -nodes -in
/etc/pki/ovirt-engine/keys/apache.p12 >
/etc/pki/ovirt-engine/keys/apache.key.nopass
# chmod 0600 /etc/pki/ovirt-engine/keys/apache.key.nopass
And restart apache.
Regards,
Alon
----- Original Message -----
> From: "Sven Kieske" <s.kie...@mittwald.de>
> To: users@ovirt.org
> Sent: Thursday, April 10, 2014 12:41:17 PM
> Subject: Re: [ovirt-users] Regenerating new SSL certificates for ovirt-engine
>
> Hi,
>
> as a first step, make sure to read and understand this page:
> http://www.ovirt.org/Features/PKI
>
> There are different certificates for different things.
>
> I have sadly no time to elaborate on this difficult topic.
>
> But you may want restrict the access to your engine
> from the network side (firewalls, routing, etc)
> anyway, to minimize the impact of such vulns.
>
> HTH
>
> PS: Some instructions are also here if I remember
> correctly:
> http://www.ovirt.org/Changing_Engine_Hostname
>
> Am 09.04.2014 17:42, schrieb Trey Dockendorf:
> > Given the recent OpenSSL heartbleed vulnerability, I would like to
> > regenerate the certificates used by my ovirt-engine server. What are
> > the steps to regenerate the certificates, and which certificates
> > should be regenerated? My ovirt-engine host is on our campus LAN,
> > which offers no real protection, so I would consider it public facing
> > despite not being routable across the WAN. At minimum I'd like to
> > regenerate the certificates used by Apache.
> >
> > I'd be happy to document this on the wiki, as the only items I could
> > find were related to host renaming.
> >
> > Thanks,
> > - Trey
>
>
> --
> Mit freundlichen Grüßen / Regards
>
> Sven Kieske
>
> Systemadministrator
> Mittwald CM Service GmbH & Co. KG
> Königsberger Straße 6
> 32339 Espelkamp
> T: +49-5772-293-100
> F: +49-5772-293-333
> https://www.mittwald.de
> Geschäftsführer: Robert Meyer
> St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
> Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
> _______________________________________________
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
