Thank you for the information. Our internal network is isolated away from the campus LAN, so these steps should do exactly what I need. Will attempt as soon as all systems have OpenSSL updated and document what I can on wiki.
Thanks, - Trey On Thu, Apr 10, 2014 at 5:26 AM, Alon Bar-Lev <alo...@redhat.com> wrote: > > Thank you Sven, > > I would avoid the engine rename process. > > Trey, > > If the internal network is not exposed to the Internet, only the engine SSL > certificate and key may be re-enrolled. > > If you did not issue your own SSL certificate for the apache, execute the > following to create a new key/certificate out of the engine internal CA, > replace @PASSWROD@ with your own. > > # cp -a /etc/pki/ovirt-engine "/etc/pki/ovirt-engine.$(date "+%Y%m%d")" > # SUBJECT="$(openssl x509 -subject -noout -in > /etc/pki/ovirt-engine/certs/apache.cer | sed 's/subject= //')" > # /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh --name=apache > --password="@PASSWORD@" --subject="${SUBJECT}" > # openssl pkcs12 -passin "pass:@PASSWORD@" -nokeys -in > /etc/pki/ovirt-engine/keys/apache.p12 > /etc/pki/ovirt-engine/certs/apache.cer > # openssl pkcs12 -passin "pass:@PASSWORD@" -nocerts -nodes -in > /etc/pki/ovirt-engine/keys/apache.p12 > > /etc/pki/ovirt-engine/keys/apache.key.nopass > # chmod 0600 /etc/pki/ovirt-engine/keys/apache.key.nopass > > And restart apache. > > Regards, > Alon > > ----- Original Message ----- >> From: "Sven Kieske" <s.kie...@mittwald.de> >> To: users@ovirt.org >> Sent: Thursday, April 10, 2014 12:41:17 PM >> Subject: Re: [ovirt-users] Regenerating new SSL certificates for ovirt-engine >> >> Hi, >> >> as a first step, make sure to read and understand this page: >> http://www.ovirt.org/Features/PKI >> >> There are different certificates for different things. >> >> I have sadly no time to elaborate on this difficult topic. >> >> But you may want restrict the access to your engine >> from the network side (firewalls, routing, etc) >> anyway, to minimize the impact of such vulns. >> >> HTH >> >> PS: Some instructions are also here if I remember >> correctly: >> http://www.ovirt.org/Changing_Engine_Hostname >> >> Am 09.04.2014 17:42, schrieb Trey Dockendorf: >> > Given the recent OpenSSL heartbleed vulnerability, I would like to >> > regenerate the certificates used by my ovirt-engine server. What are >> > the steps to regenerate the certificates, and which certificates >> > should be regenerated? My ovirt-engine host is on our campus LAN, >> > which offers no real protection, so I would consider it public facing >> > despite not being routable across the WAN. At minimum I'd like to >> > regenerate the certificates used by Apache. >> > >> > I'd be happy to document this on the wiki, as the only items I could >> > find were related to host renaming. >> > >> > Thanks, >> > - Trey >> >> >> -- >> Mit freundlichen Grüßen / Regards >> >> Sven Kieske >> >> Systemadministrator >> Mittwald CM Service GmbH & Co. KG >> Königsberger Straße 6 >> 32339 Espelkamp >> T: +49-5772-293-100 >> F: +49-5772-293-333 >> https://www.mittwald.de >> Geschäftsführer: Robert Meyer >> St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen >> Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen >> _______________________________________________ >> Users mailing list >> Users@ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users >> > _______________________________________________ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users