Appendix D. Red Hat Enterprise Virtualization and SSL

D.1. Replacing the Red Hat Enterprise Virtualization Manager SSL Certificate

Warning

Do not change the permissions and ownerships for the /etc/pki directory or any subdirectories. The permission for the /etc/pki and the /etc/pki/ovirt-engine directory must remain as the default 755.
You want to use your organization's commercially signed certificate to identify your Red Hat Enterprise Virtualization Manager to users connecting over HTTPS.

Note

Using a commercially issued certificate for https connections does not affect the certificate used for authentication between your Manager and hosts, they will continue to use the self-signed certificate generated by the Manager.
Prerequisites

This procedure requires a PEM formatted certificate from your commercial certificate issuing authority, a .nokey file, and a .cer file. The .nokey and .cer files are sometimes distributed as a certificate-key bundle in the P12 format.

This procedure assumes that you have a certificate-key bundle in the P12 format.

Procedure D.1. Replacing the Red Hat Enterprise Virtualization Manager Apache SSL Certificate

  1. The Manager has been configured to use /etc/pki/ovirt-engine/apache-ca.pem, which is symbolically linked to /etc/pki/ovirt-engine/ca.pem. Remove the symbolic link. 
    # rm /etc/pki/ovirt-engine/apache-ca.pem
  2. Save your commercially issued certificate as /etc/pki/ovirt-engine/apache-ca.pem. The certificate chain must be complete up to the root certificate. The chain order is important and should be from the last intermediate certificate to the root certificate. 
    mv YOUR-3RD-PARTY-CERT.pem /etc/pki/ovirt-engine/apache-ca.pem
  3. Move your P12 bundle to /etc/pki/ovirt-engine/keys/apache.p12.
  4. Extract the key from the bundle. 
    # openssl pkcs12 -in  /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes > /etc/pki/ovirt-engine/keys/apache.key.nopass
  5. Extract the certificate from the bundle. 
    # openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys > /etc/pki/ovirt-engine/certs/apache.cer
  6. Restart the Apache server. 
    # service httpd restart
Your users can now connect to the portals without being warned about the authenticity of the certificate used to encrypt https traffic.

Important

Replacing the certificate can cause the log collector to fail, as documented in https://access.redhat.com/solutions/458713. To avoid this failure, edit the log collector's configuration:
  1. Export the CA certificate from the CA server and copy it to the Red Hat Enterprise Virtualization Manager server.
  2. Point the log collector to the new location by adding the following to /etc/ovirt-engine/logcollector.conf: 
    cert-file=/path/to/new/CA/file