Red Hat Summit 红帽全球峰会支持控制台(Console)开发人员开始试用联系人

此内容没有您所选择的语言版本。

Appendix D. Red Hat Virtualization and Encrypted Communication

Warning

Do not change the permissions and ownerships for the /etc/pki directory or any subdirectories. The permission for the /etc/pki and the /etc/pki/ovirt-engine directory must remain as the default, 755.

You can configure your organization’s third-party CA certificate to identify the Red Hat Virtualization Manager to users connecting over HTTPS.

Note

Using a third-party CA certificate for HTTPS connections does not affect the certificate used for authentication between the Manager and hosts. They will continue to use the self-signed certificate generated by the Manager.

Prerequisites

  • A third-party CA certificate. This is the certificate of the CA (Certificate Authority) that issued the certificate you want to use. It is provided as a PEM file. The certificate chain must be complete up to the root certificate. The chain’s order is critical and must be from the last intermediate certificate to the root certificate. This procedure assumes that the third-party CA certificate is provided in /tmp/3rd-party-ca-cert.pem.
  • The private key that you want to use for Apache httpd. It must not have a password. This procedure assumes that it is located in /tmp/apache.key.
  • The certificate issued by the CA. This procedure assumes that it is located in /tmp/apache.cer.

If you received the private key and certificate from your CA in a P12 file, use the following procedure to extract them. For other file formats, contact your CA. After extracting the private key and certificate, proceed to Replacing the Red Hat Virtualization Manager Apache CA Certificate.

Extracting the Certificate and Private Key from a P12 Bundle

The internal CA stores the internally generated key and certificate in a P12 file, in /etc/pki/ovirt-engine/keys/apache.p12. Red Hat recommends storing your new file in the same location. The following procedure assumes that the new P12 file is in /tmp/apache.p12.

  1. Back up the current apache.p12 file: 

    # cp -p /etc/pki/ovirt-engine/keys/apache.p12 /etc/pki/ovirt-engine/keys/apache.p12.bck
    Copy to Clipboard Toggle word wrap

  2. Replace the current file with the new file: 

    # cp /tmp/apache.p12 /etc/pki/ovirt-engine/keys/apache.p12
    Copy to Clipboard Toggle word wrap

  3. Extract the private key and certificate to the required locations. If the file is password protected, you must add -passin pass:_password_, replacing password with the required password. 

    # openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes > /tmp/apache.key
# openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys > /tmp/apache.cer
    Copy to Clipboard Toggle word wrap
Important

For new Red Hat Virtualization installations, you must complete all of the steps in this procedure. If you upgraded from a Red Hat Enterprise Virtualization 3.6 environment with a commercially signed certificate already configured, only steps 1, 8, and 9 are required.

Replacing the Red Hat Virtualization Manager Apache CA Certificate

  1. Add your CA certificate to the host-wide trust store: 

    # cp /tmp/3rd-party-ca-cert.pem /etc/pki/ca-trust/source/anchors
# update-ca-trust
    Copy to Clipboard Toggle word wrap

  2. The Manager has been configured to use /etc/pki/ovirt-engine/apache-ca.pem, which is symbolically linked to /etc/pki/ovirt-engine/ca.pem. Remove the symbolic link: 

    # rm /etc/pki/ovirt-engine/apache-ca.pem
    Copy to Clipboard Toggle word wrap

  3. Save your CA certificate as /etc/pki/ovirt-engine/apache-ca.pem: 

    # cp /tmp/3rd-party-ca-cert.pem /etc/pki/ovirt-engine/apache-ca.pem
    Copy to Clipboard Toggle word wrap

  4. Back up the existing private key and certificate: 

    # cp /etc/pki/ovirt-engine/keys/apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass.bck
# cp /etc/pki/ovirt-engine/certs/apache.cer /etc/pki/ovirt-engine/certs/apache.cer.bck
    Copy to Clipboard Toggle word wrap

  5. Copy the private key to the required location: 

    # cp /tmp/apache.key /etc/pki/ovirt-engine/keys/apache.key.nopass
    Copy to Clipboard Toggle word wrap

  6. Copy the certificate to the required location: 

    # cp /tmp/apache.cer /etc/pki/ovirt-engine/certs/apache.cer
    Copy to Clipboard Toggle word wrap

  7. Restart the Apache server: 

    # systemctl restart httpd.service
    Copy to Clipboard Toggle word wrap

  8. Create a new trust store configuration file, /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf, with the following parameters: 

    ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
    Copy to Clipboard Toggle word wrap

  9. Edit the /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf file, adding the following parameters: 

    SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache.cer
SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
    Copy to Clipboard Toggle word wrap

  10. Restart the ovirt-provider-ovn service: 

    # systemctl restart ovirt-provider-ovn.service
    Copy to Clipboard Toggle word wrap

  11. Restart the ovirt-engine service: 

    # systemctl restart ovirt-engine.service
    Copy to Clipboard Toggle word wrap

Your users can now connect to the Administration Portal and VM Portal, without seeing a warning about the authenticity of the certificate used to encrypt HTTPS traffic.

返回顶部
Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

Theme

© 2025 Red Hat