Appendix D. Red Hat Virtualization and SSL
D.1. Replacing the Red Hat Virtualization Manager SSL/TLS Certificate
Warning
/etc/pki
directory or any subdirectories. The permission for the /etc/pki
and the /etc/pki/ovirt-engine
directory must remain as the default 755.
Note
Prerequisites
- A third-party CA certificate. This is the certificate of the CA (Certificate Authority) that issued the certificate you want to use. It is provided as a PEM file. The certificate chain must be complete up to the root certificate. The chain's order is critical and must be from the last intermediate certificate to the root certificate. This procedure assumes that the third-party CA certificate is provided in
/tmp/3rd-party-ca-cert.pem
. - The private key that you want to use for Apache httpd. It must not have a password. This procedure assumes that it is located in
/tmp/apache.key
. - The certificate issued by the CA. This procedure assumes that it is located in
/tmp/apache.cer
.
Procedure D.1. Extracting the Certificate and Private Key from a P12 Bundle
/etc/pki/ovirt-engine/keys/apache.p12
. Red Hat recommends storing your new file in the same location. The following procedure assumes that the new P12 file is in /tmp/apache.p12
.
- Back up the current
apache.p12
file:# cp -p /etc/pki/ovirt-engine/keys/apache.p12 /etc/pki/ovirt-engine/keys/apache.p12.bck
- Replace the current file with the new file:
# cp /tmp/apache.p12 /etc/pki/ovirt-engine/keys/apache.p12
- Extract the private key and certificate to the required locations. If the file is password protected, you must add
-passin pass:password
, replacing password with the required password.# openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes > /tmp/apache.key # openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys > /tmp/apache.cer
Important
Procedure D.2. Replacing the Red Hat Virtualization Manager Apache SSL Certificate
- Add your CA certificate to the host-wide trust store:
# cp /tmp/3rd-party-ca-cert.pem /etc/pki/ca-trust/source/anchors
# update-ca-trust
- The Manager has been configured to use
/etc/pki/ovirt-engine/apache-ca.pem
, which is symbolically linked to/etc/pki/ovirt-engine/ca.pem
. Remove the symbolic link:# rm /etc/pki/ovirt-engine/apache-ca.pem
- Save your CA certificate as
/etc/pki/ovirt-engine/apache-ca.pem
:# cp /tmp/3rd-party-ca-cert.pem /etc/pki/ovirt-engine/apache-ca.pem
- Back up the existing private key and certificate:
# cp /etc/pki/ovirt-engine/keys/apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass.bck # cp /etc/pki/ovirt-engine/certs/apache.cer /etc/pki/ovirt-engine/certs/apache.cer.bck
- Copy the private key to the required location:
# cp /tmp/apache.key /etc/pki/ovirt-engine/keys/apache.key.nopass
- Copy the certificate to the required location:
# cp /tmp/apache.cer /etc/pki/ovirt-engine/certs/apache.cer
- Restart the Apache server:
# systemctl restart httpd.service
- Create a new trust store configuration file:
# vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
Add the following content and save the file:ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts" ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
- Edit the
/etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
file:# vi /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
Make the following changes and save the file:SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache-ca.pem SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
- Restart the
ovirt-engine
service:# systemctl restart ovirt-engine.service
- Replacing the certificate can cause the log collector to fail. To prevent this, create a new log collector configuration file:
# vi /etc/ovirt-engine/logcollector.conf.d/99-custom-ca-cert.conf
Add the following content and save the file:[LogCollector] cert-file=/etc/pki/ovirt-engine/apache-ca.pem