Red Hat Summit 红帽全球峰会支持控制台(Console)开发人员开始试用联系人

此内容没有您所选择的语言版本。

5.10. Replacing SHA-1 Certificates with SHA-256 Certificates

Red Hat Virtualization 4.2 uses SHA-256 signatures, which provide a more secure way to sign SSL certificates than SHA-1. Newly installed 4.2 systems do not require any special steps to enable Red Hat Virtualization’s public key infrastructure (PKI) to use SHA-256 signatures. However, for upgraded systems one of the following is recommended:

Preventing Warning Messages from Appearing in the Browser

  1. Log in to the Manager machine as the root user.

  2. Check whether /etc/pki/ovirt-engine/openssl.conf includes the line default_md = sha256: 

    # cat /etc/pki/ovirt-engine/openssl.conf
    Copy to Clipboard Toggle word wrap

    If it still includes default_md = sha1, back up the existing configuration and change the default to sha256: 

    # cp -p /etc/pki/ovirt-engine/openssl.conf /etc/pki/ovirt-engine/openssl.conf."$(date +"%Y%m%d%H%M%S")"
# sed -i 's/^default_md = sha1/default_md = sha256/' /etc/pki/ovirt-engine/openssl.conf
    Copy to Clipboard Toggle word wrap

  3. Define the certificate that should be re-signed: 

    # names="apache"
    Copy to Clipboard Toggle word wrap

  4. On the Manager, re-sign the Apache certificate: 

    for name in $names; do
    subject="$(
        openssl \
            x509 \
            -in /etc/pki/ovirt-engine/certs/"${name}".cer \
            -noout \
            -subject \
        | sed \
            's;subject= \(.*\);\1;' \
    )"
   /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh \
        --name="${name}" \
        --password=mypass \
        --subject="${subject}" \
        --keep-key
done
    Copy to Clipboard Toggle word wrap

  5. Restart the httpd service: 

    # systemctl restart httpd
    Copy to Clipboard Toggle word wrap
  6. Connect to the Administration Portal to confirm that the warning no longer appears.
  7. If you previously imported a CA or https certificate into the browser, find the certificate(s), remove them from the browser, and reimport the new CA certificate. Install the certificate authority according to the instructions provided by your browser. To get the certificate authority’s certificate, navigate to http://your-manager-fqdn/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA, replacing your-manager-fqdn with the fully qualified domain name (FQDN).

Replacing All Signed Certificates with SHA-256

  1. Log in to the Manager machine as the root user.

  2. Check whether /etc/pki/ovirt-engine/openssl.conf includes the line default_md = sha256: 

    # cat /etc/pki/ovirt-engine/openssl.conf
    Copy to Clipboard Toggle word wrap

    If it still includes default_md = sha1, back up the existing configuration and change the default to sha256: 

    # cp -p /etc/pki/ovirt-engine/openssl.conf /etc/pki/ovirt-engine/openssl.conf."$(date +"%Y%m%d%H%M%S")"
# sed -i 's/^default_md = sha1/default_md = sha256/' /etc/pki/ovirt-engine/openssl.conf
    Copy to Clipboard Toggle word wrap

  3. Re-sign the CA certificate by backing it up and creating a new certificate in ca.pem.new: 

    # cp -p /etc/pki/ovirt-engine/private/ca.pem /etc/pki/ovirt-engine/private/ca.pem."$(date +"%Y%m%d%H%M%S")"
# openssl x509 -signkey /etc/pki/ovirt-engine/private/ca.pem -in /etc/pki/ovirt-engine/ca.pem -out /etc/pki/ovirt-engine/ca.pem.new -days 3650 -sha256
    Copy to Clipboard Toggle word wrap

  4. Replace the existing certificate with the new certificate: 

    # mv /etc/pki/ovirt-engine/ca.pem.new /etc/pki/ovirt-engine/ca.pem
    Copy to Clipboard Toggle word wrap

  5. Define the certificates that should be re-signed: 

    # names="engine apache websocket-proxy jboss imageio-proxy"
    Copy to Clipboard Toggle word wrap

    If you replaced the Red Hat Virtualization Manager SSL Certificate after the upgrade, run the following instead: 

    # names="engine websocket-proxy jboss imageio-proxy"
    Copy to Clipboard Toggle word wrap

    For more details see Replacing the Red Hat Virtualization Manager SSL Certificate in the Administration Guide.

  6. On the Manager, re-sign the certificates: 

    for name in $names; do
   subject="$(
        openssl \
            x509 \
            -in /etc/pki/ovirt-engine/certs/"${name}".cer \
            -noout \
            -subject \
        | sed \
            's;subject= \(.*\);\1;' \
        )"
     /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh \
            --name="${name}" \
            --password=mypass \
            --subject="${subject}" \
            --keep-key
done
    Copy to Clipboard Toggle word wrap

  7. Restart the following services: 

    # systemctl restart httpd
# systemctl restart ovirt-engine
# systemctl restart ovirt-websocket-proxy
# systemctl restart ovirt-imageio-proxy
    Copy to Clipboard Toggle word wrap
  8. Connect to the Administration Portal to confirm that the warning no longer appears.
  9. If you previously imported a CA or https certificate into the browser, find the certificate(s), remove them from the browser, and reimport the new CA certificate. Install the certificate authority according to the instructions provided by your browser. To get the certificate authority’s certificate, navigate to http://your-manager-fqdn/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA, replacing your-manager-fqdn with the fully qualified domain name (FQDN).

  10. Enroll the certificates on the hosts. Repeat the following procedure for each host.

    1. In the Administration Portal, click Compute Hosts.
    2. Select the host and click Management Maintenance.
    3. Once the host is in maintenance mode, click Installation Enroll Certificate.
    4. Click Management Activate.
返回顶部
Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

Theme

© 2025 Red Hat