Appendix D. Red Hat Enterprise Virtualization and SSL

download PDF

D.1. Replacing the Red Hat Enterprise Virtualization Manager SSL Certificate


Do not change the permissions and ownerships for the /etc/pki directory or any subdirectories. The permission for the /etc/pki and the /etc/pki/ovirt-engine directory must remain as the default 755.
You want to use your organization's commercially signed certificate to identify your Red Hat Enterprise Virtualization Manager to users connecting over HTTPS.


Using a commercially issued certificate for https connections does not affect the certificate used for authentication between your Manager and hosts, they will continue to use the self-signed certificate generated by the Manager.

This procedure requires a PEM formatted certificate from your commercial certificate issuing authority, a .nokey file, and a .cer file. The .nokey and .cer files are sometimes distributed as a certificate-key bundle in the P12 format.

This procedure assumes that you have a certificate-key bundle in the P12 format.

Procedure D.1. Replacing the Red Hat Enterprise Virtualization Manager Apache SSL Certificate

  1. The Manager has been configured to use /etc/pki/ovirt-engine/apache-ca.pem, which is symbolically linked to /etc/pki/ovirt-engine/ca.pem. Remove the symbolic link.
    # rm /etc/pki/ovirt-engine/apache-ca.pem
  2. Save your commercially issued certificate as /etc/pki/ovirt-engine/apache-ca.pem. The certificate chain must be complete up to the root certificate. The chain order is important and should be from the last intermediate certificate to the root certificate.
    mv YOUR-3RD-PARTY-CERT.pem /etc/pki/ovirt-engine/apache-ca.pem
  3. Move your P12 bundle to /etc/pki/ovirt-engine/keys/apache.p12.
  4. Extract the key from the bundle.
    # openssl pkcs12 -in  /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes > /etc/pki/ovirt-engine/keys/apache.key.nopass
  5. Extract the certificate from the bundle.
    # openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys > /etc/pki/ovirt-engine/certs/apache.cer
  6. Restart the Apache server.
    # service httpd restart
Your users can now connect to the portals without being warned about the authenticity of the certificate used to encrypt https traffic.


Replacing the certificate can cause the log collector to fail, as documented in To avoid this failure, edit the log collector's configuration:
  1. Export the CA certificate from the CA server and copy it to the Red Hat Enterprise Virtualization Manager server.
  2. Point the log collector to the new location by adding the following to /etc/ovirt-engine/logcollector.conf:
Red Hat logoGithubRedditYoutubeTwitter


Try, buy, & sell


About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.