Thank you Sven,

I would avoid the engine rename process.

Trey,

If the internal network is not exposed to the Internet, only the engine SSL 
certificate and key may be re-enrolled.

If you did not issue your own SSL certificate for the apache, execute the 
following to create a new key/certificate out of the engine internal CA, 
replace @PASSWROD@ with your own.

# cp -a /etc/pki/ovirt-engine "/etc/pki/ovirt-engine.$(date "+%Y%m%d")"
# SUBJECT="$(openssl x509 -subject -noout -in 
/etc/pki/ovirt-engine/certs/apache.cer | sed 's/subject= //')"
# /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh --name=apache 
--password="@PASSWORD@" --subject="${SUBJECT}"
# openssl pkcs12 -passin "pass:@PASSWORD@" -nokeys -in 
/etc/pki/ovirt-engine/keys/apache.p12 > /etc/pki/ovirt-engine/certs/apache.cer
# openssl pkcs12 -passin "pass:@PASSWORD@" -nocerts -nodes -in 
/etc/pki/ovirt-engine/keys/apache.p12 > 
/etc/pki/ovirt-engine/keys/apache.key.nopass
# chmod 0600 /etc/pki/ovirt-engine/keys/apache.key.nopass

And restart apache.

Regards,
Alon

----- Original Message -----
> From: "Sven Kieske" <s.kie...@mittwald.de>
> To: users@ovirt.org
> Sent: Thursday, April 10, 2014 12:41:17 PM
> Subject: Re: [ovirt-users] Regenerating new SSL certificates for ovirt-engine
> 
> Hi,
> 
> as a first step, make sure to read and understand this page:
> http://www.ovirt.org/Features/PKI
> 
> There are different certificates for different things.
> 
> I have sadly no time to elaborate on this difficult topic.
> 
> But you may want restrict the access to your engine
> from the network side (firewalls, routing, etc)
> anyway, to minimize the impact of such vulns.
> 
> HTH
> 
> PS: Some instructions are also here if I remember
> correctly:
> http://www.ovirt.org/Changing_Engine_Hostname
> 
> Am 09.04.2014 17:42, schrieb Trey Dockendorf:
> > Given the recent OpenSSL heartbleed vulnerability, I would like to
> > regenerate the certificates used by my ovirt-engine server.  What are
> > the steps to regenerate the certificates, and which certificates
> > should be regenerated?  My ovirt-engine host is on our campus LAN,
> > which offers no real protection, so I would consider it public facing
> > despite not being routable across the WAN.  At minimum I'd like to
> > regenerate the certificates used by Apache.
> > 
> > I'd be happy to document this on the wiki, as the only items I could
> > find were related to host renaming.
> > 
> > Thanks,
> > - Trey
> 
> 
> --
> Mit freundlichen Grüßen / Regards
> 
> Sven Kieske
> 
> Systemadministrator
> Mittwald CM Service GmbH & Co. KG
> Königsberger Straße 6
> 32339 Espelkamp
> T: +49-5772-293-100
> F: +49-5772-293-333
> https://www.mittwald.de
> Geschäftsführer: Robert Meyer
> St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
> Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
> _______________________________________________
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Reply via email to