Red Hat SummitAppendix D. Red Hat Enterprise Virtualization and SSL
D.1. Replacing the Red Hat Enterprise Virtualization Manager SSL Certificate
Warning
Do not change the permissions and ownerships for the
/etc/pki directory or any subdirectories. The permission for the /etc/pki and the /etc/pki/ovirt-engine directory must remain as the default 755.
You want to use your organization's commercially signed certificate to identify your Red Hat Enterprise Virtualization Manager to users connecting over HTTPS.
Note
Using a commercially issued certificate for https connections does not affect the certificate used for authentication between your Manager and hosts, they will continue to use the self-signed certificate generated by the Manager.
Prerequisites
This procedure requires a PEM formatted certificate from your commercial certificate issuing authority, a .nokey file, and a .cer file. The .nokey and .cer files are sometimes distributed as a certificate-key bundle in the P12 format.
This procedure assumes that you have a certificate-key bundle in the P12 format.
Procedure D.1. Replacing the Red Hat Enterprise Virtualization Manager Apache SSL Certificate
- The Manager has been configured to use
/etc/pki/ovirt-engine/apache-ca.pem, which is symbolically linked to/etc/pki/ovirt-engine/ca.pem. Remove the symbolic link.Copy to Clipboard Copied! Toggle word wrap Toggle overflow rm /etc/pki/ovirt-engine/apache-ca.pem
# rm /etc/pki/ovirt-engine/apache-ca.pem - Save your commercially issued certificate as
/etc/pki/ovirt-engine/apache-ca.pem. The certificate chain must be complete up to the root certificate. The chain order is important and should be from the last intermediate certificate to the root certificate.Copy to Clipboard Copied! Toggle word wrap Toggle overflow mv YOUR-3RD-PARTY-CERT.pem /etc/pki/ovirt-engine/apache-ca.pem
mv YOUR-3RD-PARTY-CERT.pem /etc/pki/ovirt-engine/apache-ca.pem - Move your P12 bundle to
/etc/pki/ovirt-engine/keys/apache.p12. - Extract the key from the bundle.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes > /etc/pki/ovirt-engine/keys/apache.key.nopass
# openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes > /etc/pki/ovirt-engine/keys/apache.key.nopass - Extract the certificate from the bundle.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys > /etc/pki/ovirt-engine/certs/apache.cer
# openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys > /etc/pki/ovirt-engine/certs/apache.cer - Restart the Apache server.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow service httpd restart
# service httpd restart
Your users can now connect to the portals without being warned about the authenticity of the certificate used to encrypt https traffic.
Important
Replacing the certificate can cause the log collector to fail, as documented in https://access.redhat.com/solutions/458713. To avoid this failure, edit the log collector's configuration:
- Export the CA certificate from the CA server and copy it to the Red Hat Enterprise Virtualization Manager server.
- Point the log collector to the new location by adding the following to
/etc/ovirt-engine/logcollector.conf:Copy to Clipboard Copied! Toggle word wrap Toggle overflow cert-file=/path/to/new/CA/file
cert-file=/path/to/new/CA/file
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}