On Fri, Dec 16, 2022 at 1:06 PM Vinz Vinz <v...@itiviti.com> wrote: > > Hi David, > > thx for your answer. > > I have tried this non official documentation because it was the clearest and > more straight forward I've found. > indeed it's not perfect in terme of security, but having to renew each year > so many different certificate across multiple cluster is really not > convenient. The first time we had a certificate expiration we were not ready > and long story short it brought us a production issue... > > indeed this doc doesn't mention vdsm, but the current start date of our vdsm > certificate is matching with the date where we applied this doc, so I was > quite suprised too, but it's definitively not related. Anyway we have a lot > of vdsm cert that will expire next year, and we should be ready. (ovirt > 4.4.10) > > I did a recent install of ovirt 4.5, and vdsm cert are valid for 5 years, > which is really better. > > with our 4.4.10 clusters, if we "enrol cert", it will again be for one year? > I guess the only way to have a bigger period would be to update our cluster > to 4.5?
I think you can also change the default cert lifetime with engine-config, item VdsCertificateValidityInDays. Didn't test this myself. If it works, it should affect new certificates, not existing ones. Best regards, -- Didi _______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/6IW7H6D2EGZFWO2QT72OL7ZDBWWTM4GY/